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Abstract , 

The-present -report describee the results^ an investigation of techniques 
for using continuous simulation models as basis for reasoning about physi- 
cal systems, with emphasis on the diagnosis of system faults. It is assumed 
that a continuous simulation model of the properly operating system is 
available. Malfunctions are diagnosed by posing the question: ”how can 
we make the model behave like that?” The adjustments that must be made 
to the model to produce the observed behavior usually provide definitive 
clues to the nature of the malfunction. A novel application of Dijkstra s 
weakest-precondition predicate transformer is used to derive the precon- 
ditions for producing the required model behavior. To minimize the size 
of the search space, an envisionment generator based on interval mathe- 
matics was developed. In addition to its intended application, the ability 
to generate qualitative state spaces automatically from quantitative sim- 
ulations proved to be a fruitful avenue of investigation in its own right. 
Implementations of the Dijkstra transform and the envisionment genera- 
tor are reproduced in the Appendix. 
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INTRODUCTION 


The present report describes the results of a research project extending over two 
years, consisting of an investigation of techniques for using continuous simulation 
models (CSMs) as basis for reasoning about physical systems. In particular, 
techniques for model-based reasoning about faults of physical systems were to 
be investigated. The underlying idea is as follows: we assume that a CSM of le 
actual system is available, and that this model reflects the behavior of the actual 
system with a fidelity that suffices for the given application. A malfunction in 
the actual system will produce symptoms, i.e. a stream of data (observations) 
reflecting the aberrant behavior. We then pose the question “how can we make 
the model act like that?” Presumably the adjustments that must be made to 
the model to produce the observed behavior will provide definitive clues to the 
nature of the malfunction. 

Such an approach is based on two important assumptions. The first is that 
the model on which the diagnosis is based is a component model rather than a 
response surface, i.e. that the structure of the model reflects the nature of the 
actual system. (The research area known as causal modeling is concerned with 
this same issue, and in fact carries these concerns further than our application 
requires.) By way of example, consider the familiar linear harmonic oscillator, 
described by the equation 

m*x" + d*x' + k*x = F(t) 

This equation is a constraint model rather than a causal model. Nonetheless, 
attributes of the basic system components are represented; for example, if we are 
dealing with a mass-spring system, then m represents the mass, d the damper 
resistance, k the spring stiffness, and F(t) the driving force By contrast, a 
response surface model may be constructed by fitting, say, a polynomial to data 
representing the behavior of a mass- spring system. Such a model will in no 
way reflect the structure of the underlying system, and will be unsuitable for 

system identification-based diagnosis. . 

The second assumption underlying our approach is that the adjustments 
to the model that make it reproduce the aberrant behavior observed in the 
actual system consist of finding new values for system parameters, rather than 
structural changes such as addition of new equations. This is plausible, in that 
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addition of new structure in the form of equations corresponds to addition of 
new constraints. Malfunctions, however, generally involve the modification or 
removal of existing constraints, which can frequently be modeled by parameter 
adjustments. For example, spring breakage in the mass-spring system discussed 
above can be represented by setting k to 0. 

Three innovations which we consider to be significant were developed and 

integrated. They are: 

1. the development of a canonical schematic form for continuous simulation 
models 

2. the application of Dijkstra’s predicate transformers to algorithmic map- 
pings, leading to techniques and results with extend techniques familiar 
from continuous mathematics to CSMs 

3. the development of qualitative reasoning techniques based on quantitative 
models. These techniques include the application of interval mathematics 
to perform automatic generation of envisionments from CSMs, and the 
use of predicate transformers to do fault diagnosis on the basis of these 
envisionments. 

In the subsequent discussion we will often use the abbbreviations qn for “quan- 
titative” and ql for “qualitative”, since these are more easily distinguished than 

their abbreviands. . 

The results we have developed afford a number of interesting analogies with 
techniques from continuous mathematics, particularly dynamical systems theory 
[4]. Among these are formal parallels in model structure, the use of transforms to 
derive information from the model, and conceptual similarities in the treatment 
of questions such as steady-state conditions and system identification. We have 
even found a transform-based represention of iterative programs that is formally 
analogous to a power series expansion. 

While the results to be described are mathematically interesting, the intent 
of this research was to develop approaches to the diagnosis of faults in actual 
physical systems. We believe our results to be of practical value for several 
reasons; 

• CSMs of physical (and frequently economic, urban, and other) systems 
are often available. An understanding of the distinct operating regions 
of such models is almost always necessary in order to reason about the 
system. An envisionment is a schematic representation of these operating 
regions; it is therefore evident that a technique for automatic generation 
of envisionments from CSMs should be of value. 

• The Dijkstra transform, which was originally developed in a programming 
methodology/software engineering context, has proved to be a powerful 
tool for pre-and postdiction when applied to CSMs. Chapter 1 of this 
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report establishes its general usefulness by describing its application to 
derivation of steady-state conditions; in Chapter 3 the transform is applied 
to our particular research area: fault diagnosis. 

In order to test the techniques which were developed, LISP implementations 
of the Dijkstra transform, interval mathematics operations, and the interval 
mathematics-based envisionment generator were written (see Appendix). The 
resulting programs currently reside on a Macintosh* 171 personal computer; we 
consider their satisfactory performance on such a small machine to be evidence 
of the practical feasibility of the underlying ideas. 
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Chapter 1 

Models of Physical Systems 


The title of this section notwithstanding, ^ ““^dynamics 

include non-physical type, ^ { J con ’ sider ation is that the 
systems, among others. Th y q . monK a finite set of model 

with aviation and avionics. 


1.1 Dynamical systems 

ica? systems theory lies in the fact that it provides a systematic approac 
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which any model of a physical system can be put in the form 

X i = F\ (^1 > * * ’ ) X n , Ui i ' * * i u r ) 
x 'n = #»(Zl>---|ZniUl.-",U r ) 

or, in vector form, 

X' = F(Xy U) 

where Xj,i = represents the amount of effort or flow stored in (ca- 

pacitive or inductive) component i, and Uj } j — 1, ■ • ■ , r, is an input variable. 
The Xi are called the state variables of the system; the above form of system 
equations is accordingly called state variable form. The Fi represent algebraic 
functions, i.e. compositions of elementary functions; we will therefore refer to 
functions such as F as algebraic mappings . It can in fact be shown that 

Fi(xi, ui, -,u r ) 


may be assumed to have the form 


0«i(zi) 4- h gin(xn) 4* hn(ui) 4* • • * 4- h ir (u r ) 

since the process of equation derivation [4] produces such a form. A linear 
system is then a special case where g%k(xk) = and /*i r (u r ) = ±^ r u r . 

It should also be pointed out that it is in general a trivial matter to reduce 
n-th order (n > 1) differential equations to systems of n first-order equations. 
We need merely introduce intermediate variables in an appropriate manner. For 
example, in the case of a mass-spring system defined by the equation 

m*x ,/ -f-jb*x = F(t) 

we define a new variable y = x* . The second-order equation then becomes the 
system of two first-order equations 

x* = y 

y ' = — (1/m) * d * y — (1/m) * K * x — (1/m) * F(t) 

The resulting system has the advertised form 

X' = F(X, U) 

but is unsatisfactory insofar as the X and U are not in general the actual energy 
variables and inputs, but linear transforms of these. 

In terms of our mass-spring example, the capacitative element is the spring, 
which stores effort (generalized force), the inductive element is the mass, which 
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stores flow (generalized velocity), and the dissipative element is the damper, 
which acts as a resistance. The state variable form of 


ra*x / '-fd*x / -|-jb*x = F(t) 


is 


x = —kq + dx/m — F(t)/m 
q' = x/m 

where q is momentum, x displacement. [4] should be consulted for details of the 
process of constructing systems of equations. 

Note that in this case the state function F(X, U) is linear , i.e. it has the 
form 

x\ = a ll^l + * * * + + bnUi -f- f- bi r u r 

x n = a n \X\ + • * * + a nn x n + + * * * ”b ^nr u r 

or, in vector form, X f = AX + BU t where A } B are coefficient matrices. 

When linearity obtains, an extensive arsenal of powerful mathematical tech- 
niques can be brought to bear, to such an extent that non-linear F functions 
are often made tractable by replacing them with linear approximations. Among 
these tools are Laplace transforms, eigenvalues, poles and zeroes, and numerous 
other techniques for establishing steady-state conditions, oscillatory modes, and 
similar system properties. 

The state variable formulation of the linear harmonic oscillator exemplified 
by the mass-spring system above yields a simple example. The system is stable 
if none of the variable values are changing, i.e. if p' =. 0 and x f — 0. This 
happens when 

0 = —kq -f dx/m — F(t)/m 

0 = x/m 

Solving these equations, we see that the system is stable iff x = 0, and 
F(t) = — qm. More generally, we can obtain the equilibrium (steady-state) 
conditions for an arbitrary system XJ = AX -f- BU by solving the system of 
simultaneous equations 0 = AX + BU for X in the usual manner. 


1.2 CSMs of Intractable Systems 

Instead of assuming models with docile properties such as linearity, our research 
has taken the opposite approach, concentrating on discontinuous, non-linear, 
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analytically intractable systems, since 

rather than analysis is appr ° P ^ a ^ is a cont inuous, differentiable function of 
sibly be linearize ’ ire F to be a closed-form function at all, but 

its arguments, we do not requir . DO ssiblv including assign- 

„ th «, allow 1. to ta-j. « ££» "dependence ouUme (as 

me „ts 1 , ,= 0), for computing the indicated values, 

in, say, if t > 4 tlien x . simulation” is quite misleading: 

It should be noted that the term analytical and in fact should not 

the Fi can be discontinuous, non-linear, non-an y mere ly denotes 

be taken literally as closed-form unc ions a • f some arbitrary 

the fact that i. computed from other »1»» « « “ b „ discrete . 

computation The ”™ulation". To emphasize this fact we 

Tail gTeXuse the notation A(X, S;0 instep of F(X,V) to emphastze the 
algorithmic nature of the computation. 

1 2 1 Continuous Simulation: Schematic Form 

As indicated, we „e interested in a 

an.. Simulation Model, which is appropriate dthe =,sfo q lheir 

described in terms of relationships among a 

derivatives, but the tel »J‘°" ,b | ! p “ e Si discuss proceed, by integrating 

a.Ae“»:“, Lent, a. equations. 

rshaU tat is'^nEXrt'egratTon, which derive, from the following 
straightforward principles: 

comes; dt is not, however, deemed to be infinitesimal. 

2 The relation distance = rate * time. In this context, distance refers to 
the amount a variable changes from one time step to the next 
given in terms of differential equations determining the vana , 

is, of course, dt. 

The schematic form of a continuous simulation has the following structure: 

initialize all but highest derivatives 

l0 ° P A. use values of simulation variables at time t 
to compute, by means of model equations, 
time t values for the highest derivatives 
occurring in the model 
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B. use time t values of derivatives and other 
variables tocompute, by means of the d = r*t 
principle, time t+1 values for all but 
the highest derivatives 
end loop; 

Let us examine this computation schema in more detail. Suppose the vari- 
ables involved in the simulation are x„, as well as their derivatives 

M) x ( m ‘) (Note: we will use the term “highest denvative(s) for the 
highest-order derivative of each variable occurring in the model, and “lower 
derivatives” to denote all derivatives other than the highest derivatives. In- 
cluded in these lower derivatives is the zero-order derivative of each variable, 
i e the variable itself: * ( j 0) = *,•■) Also given are functions relating the highest 
derivative of each variable to the values of the lower derivatives and of auxiliary 
variables: 

x[ mi) ;= ^i((arflfsi)) 


x (m„) ._ A n ({args n )) 

The arguments (arg Si ) typically include lower derivatives (including the vari- 
ables themselves), as well as auxiliary variables. Inclusion of highest derivatives 
in the arguments is permissible, but must be handled carefully to avoid circu- 
larity. As is the case in the analytical approach, a set of initial conditions is 

given, which specify initial values of x^,j = 0, ... > m J~ L We ^ ^‘ n 
with known values for all except the highest derivatives x •. • ■ • • x " " ,™ e 

first step is to complete this set by computing the highest derivatives for dt : 

x ( m *)[0] = ^4i((or<;si)) 


i ( „ m *)[0] = A n ((args n )) 

(the notation x\»[t] denotes the value of *«> at time t). At this point we have 
values for all x“\i = 1, ••• > ».i = We can now use these 

values and the d = r i principle to compute values for time t+1. Since t was 
0 above, the next step computes t = 1 values: 


XI [1] 

; = x\[0] + x[ • dt 


z f denotes dz/dt 

*'l[l] 

;= x[ [ 0 ] + X\ * dt 

~ l m 

:= x ( r i " 1 [0]+-xi m,) [0] 
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From this we see that the general computation proceeds as follows: 
loop 

- at this point we have time t values for 

- all but the highest derivatives 

fliiargsi)) 

'■= fn{(args n )) 

- at this point we have time t values of all variables 

- and their derivatives. 

~ Now compute time t -f 1 values for all but the 

- highest derivatives 

*1 [l + 1] •= *i [t] + x[ [t] * dt 

+ 1] := + x[""\t] * dt 

+ 1] := x^~ l) [t] + * dt 

- now update t and iterate 
t ‘ — t -}■ 1 ; 

end loop; 

The x^ above were treated as array variables indexed by t. In general, 
however, it is not necessary to save all values of all for all t; the computations 
typically proceed quite locally in time. The loop can thus be rewritten as follows: 

loop 

- point A: 

*i m,) := fifargsi)) 

:= f n ((args n )) 

- as before, we now have a full set of values for 

-~fi \i= l,...,n,j = 0,...,mj 

- point B: 

- Now compute time t + 1 values: 
xi := xi + x[[t] * dt 

x[ := x[ + x ( {[t] * dt 
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- explicit updating of t is no longer necessary 

- point A: 
end loop; 

Note that we have designated two control points in the above program; we 
call them point A and point B (the point A just before the end loop is logically 
identical with the point A following loop). Moreover, we shall refer to the 
computations following point A and preceding point B as the A-compuiations 
or the A block\ similarly, the block of code after B and before A is called the 
B- computations or the B block . A number of observations are in order regarding 
the above program. The first is that while the order of the B computations 
is irrelevant if explicit time subscripts are used, order is critical if, as above, 
subscripts are omitted. Suppose, for example, that we had written 

x*i := x[ + x i * dt 
xi := x\ -f x[ * dt 

It is clear that the x[ used in the second equation to update x\ is x[[t + 1], not 
x[[t]. As noted previously, the notation /, merely denotes the fact that is 

computed from other values on the basis of some arbitrary computation, which 
may involve loops, if statements, procedure calls, and all the other mechanisms 
of computation. 

We now present an example of such a simulation: a program which models 
a relay servo. (Source: [1], pp, 117-119.) A relay servo is a feedback control 
system in which the corrective signal is applied discontinuously. The intent of 
the system is to minimize the error difference E = Y — X between reference 
(input) signal Y and the output X (Y is kept constant at zero in this model). 
The servo equation is 

X" = -X'/B + G • A/B 

where G represents the action of the relay, taking on values of —1, 0, and +1, 
depending on the value of E. The formal similarity of the above equation with 
the linear harmonic oscillator equation x n = — X* /mass — k • x/mass should 
be noted; A plays the role of the spring constant, B the role of mass. 

— parameter specifications: 

A := 2; b := 0.5; V := 1; Y := 0; 

— step size specification: 
dt := 0.01; 

— initial conditions: 

X' := 0; X := 1.5; 

— simulation loop: 
loop 

— point A: 

E := Y - X; 
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if E > 0 then G := V; 
elsif E = 0 then G := 0; 
else G := -V; 

X* ' := -X'/B + G * A/B 
“ X"[t] = f(X'[t] ( G [t] , A, B) 

— All values X, X' , X* * are current to time t here 
— Now compute t+1 values of X and X*: 

— point B: 

X := X + X* * dt 
X' := X' + X>> * dt 
end loop 


1.3 Components of a Continuous Simulation 
Model 

The previous section has presented a schematic form for CSMs. We now examine 
the constituents of CSMs more closely. These may be classified as follows: 

• Constants: quantities that cannot change, even in principle (in particular: 
in the presence of faults). 

Example: conversion -factor = 180/3.14159 

• Parameters: quantities treated as constants for the duration of a simula- 
tion run, but which may vary from one run to the next. 

Example: mass — 2.0 

In the context of fault diagnosis and fault propagation, parameters fall into 
two classes: intentional parameters (those intended by the programmer to 
be parameters) and inadvertent parameters, i.e. quantities intended by 
the programmer to remain constant, but which have changed due to a 
fault. Inadvertent parameters can, in fact, act as variables y changing in 
mid-run. 

• Endogenous variables: Xi, x n , and their derivatives: the quantities 
whose values are determined by the equations of the model. In the case of 
dynamical systems in state variable form, endogenous variables correspond 
to state variables. In the relay servo example (which is not in state variable 
form), X y X f y and X H are endogenous variables. 

• Exogenous variables: quantities supplied (input) from outside the model, 
rather than being computed in terms of model quantities. In the relay 
servo example, the reference signal Y is an exogenous variable (which is 
held constant at zero in this particular example). In dynamical systems, 
exogenous variables are referred to as input variables or sources of effort 
or flow. 
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• Auxiliary variables: quantities computed in terms of endogenous and ex- 
ogenous variables and other auxiliary variables, but which are not them- 
selves endogenous variables. In the relay servo example G and E are 
auxiliary variables. It should be noted that auxiliary variables occur in 
algorithmic mappings but not in equational ones: only algorithms require 
temporary variables. 

In an algorithmic model constructed without the benefit of a methodology 
such as the one outlined in [4], the difference between auxiliary variables and 
endogenous variables is in general subjective and arbitrary. As a rule of thumb, 
a variable is deemed to be endogenous if it is the sort of thing that might 
reasonably be printed out as model output, otherwise it is auxiliary. In a system 
dynamics model, the category of any variable is evident: if it represents an effort 
or flow source, it is an input (exogenous) variable; if it represents the amount of 
effort or flow stored in a capacitance or inductance, it is a state (endogenous) 
variable; if it belongs to neither class, the only remaining possibility is that it 
is an auxiliary variable. 

1.3.1 State Variable Form 

While we will continue to deal with models involving higher-order equations, 
we have seen that we may confine ourselves to systems of first-order equations 
if desired. In this case we can restate our CSM loop schematic as follows: 

Assign initial values to simulation variables 
loop 

A. use values of simulation variables at time t to compute, 
by means of model equations, time t values for the 
derivatives occurring in the model 

(which will be first-order only) 

B. use time t values of derivatives and other variables to 
compute, by means of the d = r*t principle, time t-hl values 
for all variables 

end loop; 

or in vector form, 

X := Xq 

loop 

A. X' := A(X,U y t) 

B. X :=X + X’ dt 
end loop 

In our previous discussion of dynamical systems models having the general 
form X' = F(X, U,t), we referred to the mapping F as an algebraic or equa- 
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tional mapping . By analogy, we refer to A as an algorithmic mapping . More 
generally, an algorithmic mapping is any computational scheme that maps a set 
of input values X to a set of output values Y. 

As is apparent from the loop schema, the simulation loop body consists of two 
consecutive mappings, the A-computations A followed by the B-computations 
B . The effect of running the simulation for n iterations can then be expressed 
as applying the mapping (A • B) n to argument Xq . If the loop has the form 

loop 

A. X* :=A{XM> U) 

B. X := X + X f dt 
end loop 

then we see that initially X; = Xo, and for i > 0 we have 

:= Xi + dt-A(XiA t t) 

It is evident that each iteration of the simulation loop computes the next value 
of X by adding a small vector pointing in the A(X , U y t) direction to the current 
X. It is fairly common for simulations to have neither exogenous variables nor 
explicit time dependences; if this is so, then the above assignment becomes 

X<+i := Xi + A(Xi) ■ dt 

The significance of this form is that the behavior of X under the iteration is 
governed by the time-invariant mapping A\ in particular, the fact that the 
mapping does not depend on t makes it possible to pre-establish operating 
regions in the vector space. Such operating regions will play a role in the 
subsequent development; in particular, each qualitative state corresponds to a 
distinct operating region. 
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Chapter 2 

CSM-based reasoning 


We have presented a formalization of the CSM process in terms of iterated 
mappings on a vector space R n . We will now explore some of the implications 
of this formulation. 

We have indicated previously that the system identification approach to di- 
agnosis consisted of posing the question “how do we make the model behave like 
that?” As it happens, this approach is not confined to either fault diagnosis or 
qualitative reasoning. Consider a dynamical system X' = F( A, f7), and sup- 
pose we are interested in steady-state (equilibrium) conditions, i.e. in conditions 
under which the system is stationary. In model terms, this corresponds to having 
no changes in any of the state variables; formally, X' = 0 = F(X, U). The prob- 
lem has been reduced to finding values for X and U satisfying 0 = F(X U) 
which is generally possible, at least numerically, if the system equations’ are 
closed-form expressions. In the case of linear systems the solution process re- 
duces to solving a set of linear equations. 

The case where the system model is a CSM rather than a dynamical sys- 
temjnodd presents rather greater problems. Instead of a system of equations 
A — F{X>U) } we have an interated computation 

loop 

X* := A(X t U,i) 

X:=X + X'-dt 
end loop 

Since A is not in general a system of equations, linear or otherwise, tra- 
ditional methods do not apply. We have nonetheless been able to develop a 
technique for attacking such problems, which represents a generalization to al- 
gorithmic mappings of techniques appropriate to equation mappings . This 
approach makes use of the weakest precondition predicate transformation tech- 
nique developed by Dijkstra [2] to derive solutions to questions posed of models 
based on algorithmic (special case: equational) mappings. 
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By way of example, consider once again the problem of determining steady- 
state conditions discussed above, this time for the case of an algorithmic map- 
ping. For the sake of simplicity, suppose there are no exogenous variables, and 
time is not an explicit parameter. Thus we have 

loop 

X 9 := A(X,U,t) 

X := X + X* • dt 
end loop 

As before, equilibrium corresponds to a condition where X' = 0. In this 
case, however, we have an assignment statement (:=) rather than an equation 
( )• The question thus becomes; what has to be true before the assignment is 
performed, for X' = 0 to be true afterwards ? 

This formulation is essentially identical to Dijkstra’s definition of the wp 
predicate transformer [2]. For the sake of completeness, we will present a brief 
review of the basic predicate transformers; readers requiring more detail are 
referred to [2], 
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2.1 Introduction to the Dijkstra Transform 

The wp predicate transformer is an operater that takes two operands, a program 
and a predicate, and produces a predicate as result. We will use Dijkstra’s 
notation wp(Prog | R) to denote the weakest (most general) predicate, called 
the weakest precondition , that must hold prior to execution of program Prog, if 
predicate R (the postcondition) is to hold after execution of Prog . 

2.1.1 Fundamental Algorithmic Constructs 

The well-known Jacopini-Bohm theorem states that any single-entry/single-exit 
program is equivalent to a program using only sequencing, if statements, and a 
controlled looping construct such as the while or repeat-until loop as control 
structures. Furthermore, loops within the main simulation loop tend to be rare, 
and most of the “inner syntax” of CSMs consists of assignment statements. For 
our purposes it therefore suffices to give the wp transform for sequencing, if 
statements, and assignment. 

Transforms of Fundamental Algorithmic Constructs 

Statement sequencing: if 51 and 52 are program statements, then 
u>p(51;52 | fl) = wp(Sl \ wp(S2 \ R)). This fact immediately gener- 
alizes to 

u>p(51; . . . ;5n | /2) = u>p(51 | wp(S2 | . . . ,wp(Sn | /i) . . .). 
Assignment: 


wp(x := E | R) = Re->x 

where Re-+x denotes predicate R } with expression E substituted for all 
free occurrences of variable x in R . For example, 

wp(x l- 2 /|x = i/ + 5) = y + 5= l — y 

or y = — 2, which is the weakest predicate that had to be true if the 
postcondition x — y + 5 was to hold. 

if statements The if statement has the usual guarded-command syntax: 

(if) ::= if (6ei) (statements i) | 

| /an^/e6e n ) — ► (statements n ) 

fi 

where the 6e, are boolean expressions. The transformer for (if) is 
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ORIGINAL PA QF IS 

of. poor QUAurne 


wp{{if) | R) = (( 6e i> =► wp((s<^ cments i)' fi )) A 

((6e n ) wp((statements n ) \ R)) 

In our application we can state that exactly one guard will be true. The 
condition (MV. . .V(6e„)) included in Dijkstra’s formulation is therefor 

always true and can be omitted. 

[ 2 ]: 

(do) ::= do (fce x ) — (statements i) | 

| (be„) -» (statements n ) 

od 

The semantics of this construct stipulate that the statements within . the 
do-od are executed repeatedly as long as a true guard exists- As before 
our application and implementation language allows us to assume th 
most one guard is true for any iteration. 

The transformer for (do) is 

wp(< do > | R) — > 0 : Hk(R)) 

WllCre H 0 (R) = R A ->(3 j : 1 < i < » : ( fce j)) 

Hk(R) = wp(IF, Hie-i(R)) V Ho(R) 

2.1.2 Applications of the Dijkstra Transform 
Equilibrium Conditions 

Example: An Abstract Buzzer We begin with a simple example: applying 
the wp transform to the problem of finding equilibrium conditions for an ahsirac 
tZl We assume we have a device whose (sole) moving part is characterized 
by its position x on the real axis. Furthermore, we posit that £ l mm < > 

then x is moving right; if a < x < /max then x is moving left, otherwise 

stationary. In schematic form: 


a fa (ionary 

The CSM has this form: 


$ tationar y 
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loop 
{ A: > 

SI: if 

1 >= Imax — > 1 > ;= 0; 

1 <= lmin — > 1' := 0; 
lznin < 1 <= a — > 1 > ;= j. 
a < 1 < lmax — > 1 * : = . 

fi 

{ B: > 

S2: 1 := 1 + 1* * dt 
until done 


e now pose the question; unaer wnat conditions is this system stable? In 
r “ tmS ' ‘ h “ *PP“» « is the weak.., p„coE„tr ? J 0 


We have 


Then 


lmin, a, Imax) = ,4(/) - 

if 

I > Imax — ► /' := 0; 

/ < lmin — ► /' 0; 

/min < / < a — ► /' : = 1; 
a < / < /max —1; 

fi 


| /' = 0) rr 

(/ > /max =» wp(l' := 0 | /' = 0)) A 
(/ < lmin => wp(l' := 0 | /' = 0)) A 
(lmin < I < a => ta^/' := 1 | /' = 0)) A 
(a < l < Imax => taj^/' ;= _i | /' _ q)) 

(-■(/ > /max) V (0 = 0)) A 
(-'(/ < /mm) V (0 = 0)) A 
(-’/ € (/min, a] V (0 = 1)) a 
(“’/ 6 (a, /max) V (0 = —1) 

(/ g (/min, a]) A (/ £ (a, /max)) 
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/ £ (/min, Imax) 

This answer is, of course, intuitively obvious; the purpose of this example was 
to illustrate the formal definition of preconditions prerequisite for given post- 
conditions, in this case equilibrium conditions. The following example derives 
a less obvious precondition. 

Example: Relay Servo By way of example, we will apply the wp transform 
to the problem of finding equilibrium conditions for the relay servo discussed 
previously: 

x" = —x'/B + G* A/B 

G = if F(t) > x then — 1 else 
if F(t) > x then 1 else 0 fi 

For the sake of simplicity we first put the model in state variable form: 

p = —a: * A — p/B 

q ' = -G/B 

with G as above, p represents momentum, and q is displacement in these equa- 
tions. 

The ^-computations of the relay servo CSM are thus 

{SI:} p’ := -q*A - p/B 

{S2:> if F(t) < q then q' := -1/B 

else if F(t) > q then q* := 1/B else q' := 0 fi 

We have equilibrium if p' = 0 and q' = 0. But q' is computed by an algorithm 
(however simple), not an algebraic equation. We therefore use the “algorithm 
solver”, the wp transform: 

wp(S 1; 52 | p' = 0 A q' = 0) = wp(Sl \ wp{S2 \ p' = 0 A q' = 0)) 

wp{S2 | p' = 0 A q' = 0) = 

( F(t ) < q => wp(q' := — 1/B | p‘ = 0 A q' = 0)) A 
(F(t) > q => wp(q' := 1/B | p' = 0 A q' = 0)) A 
(F(t) = q => wp(q' := 0 | p' = 0 A q' = 0)) 

(F(t) <q=>p' = 0 A -1/B = 0) A 
(F(t) > q => p' = 0 A 1/B = 0) A 
(F{t) = q=> p' = 0 A 0 = 0) 


21 


(since B ^ oo, and so 1/5 — 0 is false) 


(F(t) < q => false) A 
(F(t) > q => false) A 
(F(t) = q=>p' = 0) 


-i(F(t)<q) A {so F(l) > q) 

— '(F(t ) > q) A {so 5(1) < i.e. 5(1) — 9} 
(5(1) = q=>p' = 0) 


(5(1) =(?) A (5(1) = q => p' = 0) 
(5(l) = 9)A(p' = 0) 


so 


wp(Sl | wp(S 2, p' = 0 A q' — 0)) — 

wp({Sl :} p' := -q * A — p/B \ (F(t) = q) A (p' = 0)) 
= F(t) = q A-q* A - p/B = 0 


so 5(1) = ( —A/B ) * p is the weakest precondition for equilibrium. 

The preceding discussion of equilibrium conditions for a relay servo has illus- 
trated the extension of reasoning processes heretofore possible only for algebraic 
mappings to algorithmic mappings by means of the wp transform. The mapping 
employed in this example was quite simple; even so, the resulting development 
was sufficiently complex to make it clear that more substantial examples require 
computer-assisted processing. The wp transform implementation we have devel- 
oped (Appendix B) supplies the basic tools required for this sort of reasoning. 


22 


Chapter 3 

Qualitative Reasoning and 
Interval Mathematics 


We have presented an overview of CSMs, touching on dynamical systems based 
on equational mappings. We have given a simple canonical schematic for CSMs 
based on the concept of algorithmic mappings, as well as a concise vector nota- 
tion for CSMs. Finally, the concept of wp predicate transformer was introduced 
and it was shown how this transform could serve as a generalized form of “solv- 
ing the algorithmic mapping, analogous to solving equational mappings, by 
providing answers to the question “what must hold beforehand, in order for 
condition P to obtain after .4 * 3 is applied?” The use of this approach was 
illustrated by example. 

We now turn our attention to the domain of qualitative reasoning, with the 
ultimate goal of applying wp transform techniques to this domain. The rationale 
for employing qualitative reasoning rather than quantitative methods have been 
amply discussed elsewhere [3], and can be summarized as corresponding to a 
requirement for reasoning at a more abstract level, and/or with less specific 
information than is the case for quantitative reasoning. [3] contains descriptions 
of a number of approaches to this goal. The ontologies and methods underlying 
these approaches vary widely, but all have this in common: it is assumed that 
no quantitative model of the system of interest is available, and that inferences 
may /must be made solely on the basis of knowledge of monotonicity of functional 
relationships, and position of values with respect to designated (“landmark”) 
values in a quantity space. 

Our research has proceeded on the basis of the opposite assumption: that a 
quantitative model is available. A number of reasons motivate this approach. 
Important among these is the fact that qn models are frequently available for 
the systems of interest; moreover, as pointed out in the previous discussion of 
spring breakage in the mass-spring model, these models often reflect physical 
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reality accurately enough to form a basis for ql inference about system bdujnor. 

A second motivation for the use of qn models as inference basis is the author s 
belief that the most powerful model-based inference engine of all the human 
mind does its reasoning on the basis of qn rather than ql mode . 
admittedly incompatible with the assertion of most authors in the ql reasoning 
field that ql reasoning corresponds to the sort of modeling done by the mind. 

To ,uo«. Bertrand Resell, "when the expert, are in agreement the opposing 
position cannot be held to be certain.” Nonetheless, it appears to us that the 
imprecision and heavy reliance on default values inherent in mental modeling has 
been confused with true ql reasoning processes. A simple gedankenexperiment 
will illustrate this point. Imagine a tennis ball dropped from shoulder heig _ 
how many times does it bounce? The gedankenexperimenter will solve s 
problem by producing and then watching an impromptu mental movie of this 
script Rather than deducing or inferring a result by any formal method, the 
answer is obtained by counting how many times the mental .mage of the ball 
bounces on the “inner screen.” Default values are inherent in the choice o 
production values for “shoulder height” as well as the surface an which The bal 
bounces The qn nature of the process can be seen in the fact that the answer 
will probably “four or five times”, rather than one of the answers produced by 
true ql reasoners: “don’t know” or “infinitely often” or, most likely, an infinite 

branching tree of histories. . , .. 

But we digress. The third cogent motive lies in these considerations. 

• a qn model allows powerful inferencing, and 

. if a qn model is not available, it may well be possible to produce one 
even in the absence of deep physical insight. On the most basic lev< ' 1 ’ 
corresponds to noting which variables are present, and how they >nteract_ 
if a increases, b decreases, etc. By a leap of faith, a first-cut assumption of 
linearity can then be made: a = k b.\u many cases, such an assumption 
will not be justifiable, but may nonetheless provide a sufficiently accu- 
rate approximation of reality to be useful. [7] and [8] provide intriguing 
discussions of these ideas. 

Why CSMs as qn Models? In view of the vast variety of qn models avail- 
able^ word of explanation regarding our choice of CSMs as representation is 
in order. Our domain of discourse is concerned largely with physical systems, 
for which the most natural representation is in terms of relationships among 
magnitudes and their rates of change. If these relationships are of a particula y 
simple and regular form, they can conveniently be cast in the form of di 
tial equations. If this is not the case, then the derivation of new value^om 
old must proceed as some form of more complex computation i.e. in terms of 
an algorithmic mapping. The CSM is a canonical form for such computational 

treatment of qn models. 
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Having provided a rationale for CSM-based reasoning, we now examine the 
processes involved, and how they differ from traditional ql reasoning. In concise 
terms, where ql reasoning proceeds on the basis of resolving influences, CSM- 
based reasoning proceeds by means of symbolic evaluation of interval values by 
means of interval mathematics. More precisely: as in traditional ql reasoning, 
there is a set of variables representing the quantities of interest in the system. 
Moreover, we have given a set of landmark values: a finite set of distinguishing 
points (which always include ±oo)on the extended real axis = ^u{ioo}. In 
our formulation each variable may have associated with it its own personal set of 
landmark values; that set is a totally ordered finite subset of No particular 
ordering need be assumed, however, for the landmarks of one variable relative 
to those of another. 


3.1 Mathematical Background 

The present section introduces the mathematical vocabulary which will be 
needed to develop our approach to ql simulation. Since our CSM-based rea- 
soning system proceeds on the basis of interval arithmetic, we must first define 
its operands, which in Lebesque theory are known as elementary sets (es y s). 

3,1*1 Definition of Elementary Sets 

Definition The extended reals = 5? U {±oo}, the reals augmented with 
±oo. 

Definition An interval in 5R+ is the set of points x = (x 1} . . . , z n ) such that 
< (or <) Xi < (or <) x it i = 1, ... ,p. 

Thus intervals may be open, closed, or half open (equivalently: half closed). 
We will use the notation [(a, 6]) when we wish to leave unspecified whether the 
endpoint in question is open or closed. [ and ( will be referred to as left , ] and 
) as right marks. The degenerate interval [a, a] is a permissible interval; it is a 
singleton containing only a, and will in most cases be identified with the number 
a. The left endpoint of the interval may be greater than the right endpoint, i.e. 
the empty set is an interval. In addition, if no confusion is possible, we will write 
[(a, a]) to denote the singleton es {[(a, a])}, and a to denote the es {[a, a]}. 

Unless otherwise stated, we will assume that p = 1 i.e. our intervals are 
subsets of one-dimensional Euclidean space. 

Definition An elementary set is the union of a finite number of intervals in 

Nothing in our implementation, or in principle, requires the intervals of an es 
to be disjoint. In our application, however, ess do have this property in most 
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cases. We will use the term overlap to denote the intersection of two intervals 
within a single ess. 

It is easy to see that ess are closed under operations such as union, intersec- 
tion, and complement; in measure theoretic terms, families of sets having this 
properties are called rings. It is important to note that it is sets of intervals 
that are being operated on here, not the intervals in these sets. 

Note that since we identify singleton intervals with the real number they 
contain, any finite set of real numbers is an es . 

It will frequently be necessary to perform case analyses involving the posi- 
tions of points in an es relative to landmarks. An operation useful in automating 
such analyses is the split , denoted by J,. A split takes as operands an arbitrary 
es and a finite set of reals (intuitively: landmarks), and produces an es as result. 

Definition Let E be a singleton es containing (only) the interval ^ 0, 
and let 5 be a singleton set containing (only) the real number a. Then E [ S 
(equivalently: S J E) is defined as 

{{* e I \ x < a},a,{x e I \ x > a}}\{0>} 

As special case, we define E j 0 to be E. 

Example: 

{[!> 2)} l {1-5} = {[1,1.5), 1.5, (1.5, 2)} 

{[1,2)} {{0} = {[1,2)}, and 

{[1.2)} i {1} = {1,(1, 2)} 

It is easy to extend the split operator to the case where operands E and S 
are not singletons. If S — {a, , . . . , a n }, we define E { S recursively as 

( E 1 { a i}) 1 {a 2 ,...,a n } 

If E = {/, /*} , then E { S = ({/,} { S) U .. .U({/*} { S). 

3.1.2 Mappings on Elementary Sets 

We begin by reviewing some basic concepts of mappings. Recall that if D and 
R are arbitrary non-empty sets denoting the domain and range of a function 
f • E *— » R, and if S C D, then f(S) = {/( s ) G R \ s E S }. In particular, of 
course, ess are subsets on Euclidean space, and thus functions having Euclidean 
space as domain extend immediately to ess. Furthermore, for arbitrary /, if 
f ■ D R and A and B are subsets of D, then it is easy to see that f(AU B) = 
f(A)uf(B). 

Since we are dealing with digital computers, which are necessarily finite, we 
must confine ourselves to finite sets. We therefore require that the mappings 
that occur in our application produce ess when applied to ess; we will call such 
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mappings es- closed . It is thus appropriate to discuss the issue of closure of the 
class of ess under function application. 

The Mean Value Theorem implies that if I is an interval, and f is continuous, 
then f(I) is an interval. Thus: 

Theorem Continuous function are es-closed. 

It is easy to exhibit examples of mappings that produce non-es values when 
applied to es arguments; for example, define 

// \ _ / x if * is transcendental 
\ 0 if x is rational 

Fortunately the sort of functions that occur as constituents of A and B mappings 
are better-behaved. In the case of Euler integration (as well as most other 
kinds), only -f- and * are involved in the B mapping; both are continuous, and 
thus es-closed. 

That takes care of the B mapping. What of A? The raison d'etre of CSM 
lies in the intractability of the A mapping; if A were well-behaved, analytic 
techniques would apply. Can we expect such a mapping to be es-closed? 

Somewhat surprisingly, the answer is in the affirmative for the sorts of func- 
tions likely to occur in CSMs. These functions typically include the basic 
arithmetic operations such as addition, subtraction, multiplication and division, 
which are manifestly continuous. In fact, the higher-level operations likely to be 
found in CSM programs, such as trigon omen trie and logarithmic functions, are 
invariably implemented as subprocedures composed of the four basic arithmetic 
operations. Thus the functions likely to occur in a CSM are all continuous. 

Computer programs are composed of computational expressions that are em- 
bedded in three types of control structures: statement sequencing, if-then-else, 
and looping constructs featuring some sort of termination construct such as a 
while condition. Statement sequences that contain no control constructs com- 
pute compositions of those computational (non-branching) functions provided 
by the machine architecture. 

It must be admitted that any modern computer provides a wide variety of 
additional operations, e.g. logical operations such as XOR. Such functions may 
not even be defined for arbitrary reals; the logical operations, in particular, 
operate only on integers (bit strings). We could, of course, fall back on the 
finite nature of the computer, and point out that a finite-state machine cannot 
produce an infinite set of outputs for a finite input. This argument is not 
satifactory, however, since it depends on the finite-grainedness of computers. 
Matters are clarified by postulating an abstract machine featuring unlimited 
memory and infinite-precision operation. In this case discontinuous operations 
such as boolean functions do fail to be es-closed, while the basic arithmetic 
operations retain this property. The implementation of elementary functions on 
computers is such that we may safely assume that such discontinuous operations 
do not occur in the sorts of computations that constitute the ^-computations. 
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It is thus apparent that the computational part (sometimes termed the inner 
syntax ) of CSMs consists of compositions of continuous functions, which are in 
turn continuous. Discontinuity is introduced by if statements. Any program, 
however, has only a finite number of if statements, each of which has only a finite 
number of branches (usually two). The number of discontinuities introduced by 
if statements is thus finite. 

Finally, we note that a while loop represents a finite (since we assume it 
terminates) number of iterations, i.e. of compositions of the mapping repre- 
sented by its body, with itself. Iterating a function with at most finitely many 
discontinuities yields a function with at most finitely many discontinuities. We 
thus see that an A mapping is piecewise continuous, with at most finitely many 
discontinuities. 

The above discussion has, of course, the nature of argument rather than 
proof. Moreover, the assurance that a mapping has only finitely many discon- 
tinuities gives no assurance that this finite number will remain bounded, or if 
it does, that the bound will be a representable number. As we will see subse- 
quently, it is generally possible to reduce at least the ql es values of derivatives to 
Qoj the space containing 0 as its only landmark. Simplification of the variables 
themselves is frequently possible as well. 


3.2 Interval Mathematics 

We now turn to the subject of interval mathematics , also known by the equiva- 
lent term interval analysis 1 . This field of mathematics, which was pioneered by 
R. E. Moore [6], was originally motivated by the need to formalize the study of 
roundoff error in computer calculations. In such an application the uncertainty 
regarding the value of any variable is, of course, quite small; the basic techniques 
nonetheless apply unchanged to the ql reasoning field, where the uncertainty is 
frequently on the order of “ x E (0,oo).” 

Interval mathematics lists developed tremendously since its inception; the lit- 
erature now numbers over 500 papers. Fortunately the nature of our application 
is such that we will require only the most basic operations in order to provide 
a basis for the piecewise continous functions which constitute CSMs. All such 
operations are implemented in terms of the machine’s basic add, subtract, mul- 
tiply and divide instructions, however; thus development of implementations of 
these basic operations was of the highest priority. We will use the term inter- 
val arithmetic to denote the operations of interval mathematics that implement 
basic arithmetic operations. 

As is pointed out elsewhere in this report, when dealing with CSMs we 
may confine ourselves to operations relevant to continuous mathematics, and 
need not consider other functions provided by computer instruction sets, such 

1 Interval analysis generally concerns itself only with closed intervals. Our application does 
not allow this simplification. 
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as boolean functions. We will illustrate the concepts involved by showing the 
interval arithmetic version of addition. 

The straightforward extension of any function / : D i-+ R to a function 
f • 2° 2 h , which has been discussed previously, gives little indication of how 

the result is to be constructed computationally. It is this question that interval 
arithmetic addresses. 

3.2.1 Addition of es Values 

Since for arbitrary function / and subsets A, B of /’s domain we have f(AUB) = 
f(A)\Jf{B), we may confine our discussion to singleton es operands, i.e. to ess 
consisting of a single interval. 

Let x = (a, 6), y = (c, d). Then 

x + y = {r G 3? | 3u, v such that u x,v € y ’■ r =■ u + v] 

= (a + c, 6 + d) 

Similarly, if both intervals are closed, the result will be closed. 

Some of the complexities that arise in these computations become apparent 
when we consider the case when one of the corresponding ends of the intervals 
is open, and the other closed, or one is ±oo, and the other is finite, or both are 
infinite. To consider a concrete example: 

(—3, 3) + (2,4) = (—1,7) 

[-3, 3] + [2,4] = [-1,7] 

(-3, 3) + [2,4] = (-1,7) 

(-3, 3] + [2,4] = (-1,7] 


By the f(A U B) = f(A) U /(B) principle, the operations of interval arith- 
metic extend immediately from the case where the operands are single intervals 
to arbitrary ess. For example, 

a r + y= {u + u|uan interval in x, v an interval in y } 

Interval addition is deceptively simple, possibly leading the reader to 
conclude that for any arithmetic operation op, we have [(a, b]) op[{c,d\) = 
[(a op c, b op d\). That this is not the case can be seen by considering sub- 

traction: 

[(a,6])-[(c,d]) = [(a — d,6— c]) 

In particular, [(a, 6]) — [(a , 6]) = [(a — 6,6 — a]) rather than [(0,0]). 
Multiplication is defined as follows: 

[(a, 6]) * [(c, d ]) = [( rnin(a * c, a * d y 6 * c, 6 * d), max(a * c, a * d, 6 * c, 6 * d)]) 
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The reciprocal l/[(a,6]) of an interval [(a, 6]) is given by [(1/6, 1/al) if 
0 £ [( a i^])i if 0 6 [(a, 6]) then 

l/[(a, 6]) = [-oo, 1/a]) U [(1/6, oo] 

Finally, we have [(a,b]) / [(c,dj) = [(a,b]) * l/[(c,dj) 

Since it is evident that interval arithmetic requires a computer even for sim- 
ple interval addition, it was clearly necessary to implement the basic arithmetic 
operations +, ♦ , and / for ess. (In fact, + and * are all that is required 

for the ^-computation: x := x 4" x > * dt). In addition, every non-trivial A- 

computation will contain additional operations such as sin , cos , exp, etc. These 
were implemented as the need arose in the course of working examples. The 
current library of implemented es functions is adequate for most applications, 
and serves as model and basis for producing implementations of additional func- 
tions as required. For example, a tangent function for es can be implemented 
as 


(defun es-tan (x) (es-divide (es-sin x) (es-cos x))) 

The reader is referred to the implementation itself, reproduced in the Ap- 
pendix A, for details. 

3.3 Application to Qualitative Reasoning and 
Qualitative Simulation 

The major point of the preceding development of es and interval mathematics 
concepts is that CSM-based ql simulation proceeds formally exactly as does 
ordinary (qn) CSM-based simulation, with the proviso that for ql simulation 
the operands of the CSM (more precisely: of the A and B mappings) are ess 
rather than real numbers. We begin our discussion of CSM-based ql simulation 
by examining the source of these es operands. 

As is the case in traditional ql modeling, the ql CSM model contains a set 
of variables representing the quantities of interest in the system. Moreover, we 
have as given a set of landmark values: a finite set of distinguishing points (which 
always include ±oo)on the real axis . In our formulation each variable has 
associated with it its own personal set of landmark values; that set is a totally 
ordered finite subset of No particular ordering need be assumed, however, 
for the landmarks of one variable relative to those of another. 

Since the set of landmarks associated with a model variable is a set of num- 
bers, it is clearly an es. We will use the notation 

L(x) = {/ | / is a landmark of x } 

(more precisely: L(x) = {[/,/] | / is a landmark of *}.) For example, if* is the 
variable of the abstract buzzer example, then L(x) = { lmin,ajmax }. 
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It is interesting to examine the possible values that x can assume. The value 
of X ope of Imin, «, or « may be in one of the .ntemh 

(Imin a) (a, /max), or (/max, oo). Much more concisely, x € L(x) V x € M 
The preceding paragraph illustrates the fact that ess are a concise notation 
for representing qualitative variables. It is also apjwent that at any time any 
JS. ifm.he, ,» i(.) or its complement^). Moreover, the value of 

anv CSM variable alternates between L(v) and L( v). 

It is important to emphasise at this point the fuel that any varrable « ... 
any model at any time has a distinct numeric value. The ess thus canno e 
considered to be the velar of a model variable; rather, it represents .on. know! edge 
rf the value of that variable. The notation [»] = («.») does not rnd.cate hat 
the interval (a.b) is the value of «, but rather that the value of a .s somewhere 
between a and », although we are not sure exactly where ^hen no eo'.fcsmn « 
nossible we will become sloppy and use the notation v - E {E an e ementary 
LtTrath- than [v] = E, to denote the fact that the qualitative value of . is 

E ’ It "is evident that the traditional qualitative values are a special case of our 
representation, corresponding to the case Z-(v) = {»}. We w, II call th, s par- 
ticular landmark set the Qo space. The es representation facilitates specifying 
the state of knowledge as precisely as possible. For example, i we know that t, 
is between 1/2 and 1 or between 2 and infinity, we can mdica e th!s by w g 
r„1 _ (fo 5 1), (2, oo)}, rather than the coarser-grained x _ l+J. in addition, 
the^s ^presentation prevents the proliferation of variables occasioned by the 
traditional ql value space H,[0],[+]. For example, to utilize the tradition 
space for the abstract buzzer problem it is necessary to introduce new variables. 

x 1 = x — Imin 

x2 = x - a 
x3 = x - Imax 

Each of the new variables has only the single landmark 0; we believe, however, 
that such proliferation of variables radically reduces mtellig.bility 

ql reasoning usually deals with the ql values [-], [0], [+], and (the Q 0 

space). 

[x] — [— ] means x G [—00,0) 

[x] = [0] means x G [0,0], i.e. x = 0 

[x] = [+] means x G (0,oo] 

[x] = [?] means x G [- 00 , 00 ] 

We, however, are using a quantiative simulation as reasoning basis and thus 

have a qn mapping A explicitly given. The Qo if 

closed under the operations that commonly occur in CSMs. For example, 
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[x] [+], then after executing y := sin(x), y e [-1,1]. To map this result 

to the Q o space, we must either have [t/] = [?], or must case-analyze: 

ye [-1,0) = [2/] = [-] 
ye [o,o] = [y] = [o] 
y € (o. i] = [y] = [+] 

Two of these alternatives, however, discard information. Since y may well be 
involved in downstream computations, this is undesirable. 
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Chapter 4 

Envisionments and 
Envisionment Generation 

4.1 Definition and Purpose of Envisionments 

The intuitive meaning of landmarks is that they are the points within the do- 
main of each variable where “something interesting” happens. “Something in- 
teresting” is a subjective notion; in general, however, it can be stated that 
discontinuities are interesting, as are points where a derivative changes sign. 
Other points in may be interesting as well, depending on the problem at 
hand. The set of landmarks associated with each model variable is, after all, 
chosen by the user in what may be an arbitrary manner; in general, however, 
the points having the above-mentioned properties must be included if the ql 
analysis is to make sense. 

Given a set of landmarks, an operating region of n-space is a (maximal) set 
of points (model variable values) such that all points in the region have the same 
qualitative (es ) values, and .4- map onto the same ql derivative values. 

A qualitative state is a set of assignments of qualitative values to the variables 
and derivatives of a CSM. From the above definition of operating region it is 
easy to see that all points of an operating region have the same qualitative state. 

As a simulation proceeds, the values of model variables will, in general, 
transit from one operation region into another. A corresponding transition will, 
of course, occur from the ql state corresponding to the source region to the 
state representing the destination region. A state diagram depicting the ql 
states representing the operating regions of a ql model and the possible (subject 
to model constraints) transitions among these states is called an envisionment. 

Much mainstream ql reasoning research [3] is concerned with generation and 
manipulation of envisionments. A significant portion of the second year of this 
research was devoted to a (successful) search for techniques for automatically 
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generating envisionments from CSMs 

m T' f “ a T b " of reaso " 8 ' most ° f ‘ho,. 

g y covered in [3], As concerns the present research, ql state diagrams al 
low mterpretation of observations of physical systems, as well as providing an 
abstract character, zation of system behavior, correct as well as faulty Further 
more, envisionments allow the wp transform we have developed to be anSed 
without incurring combinatorial explosions. PP ,ed 

4.2 Representation of Qualitative States 

Since traditional ql simulation deals with ql values from On 
spending ql states are accordingly vectors of values from Q 0 space: ’ 

* : W V ■ [-] * : [?] 

sibi^^rs^z: 8ists of such states ’ and arrows representing p° s - 

■JSL^itaT^ tr * diti ° l “ l i" “»> CSM 

.11 ‘ nt . U, ‘! vel * ll " or » CSM is given ,t any time b, specifying the value, of 
all variables occurring in the model. To maintain some imbl.nc" of tmcT.Sv 

po! ”b“miro i fteTco^“r' ,l " t, " s (e,nira " nti,: brfo " ih » 

A (B) states represent qualitative values of variables at loop point A fB! Th* 

:Z ;r d th '“ V™ 1 ’ " tha ‘ th ' “» sP-fied byTiving th^Jn 
Ofonly the endogenous variables. At point B, the ^-computation is fifiished and 

reievant^Tr aUX ‘ hary vanables that computation employed are no longer 
relevant The ^-computations involve no exogenous or auxiliary variables so 

the system. y namica l systems theory also terms the state variables of 

ess S lTmTt ”* qUaHtative reason ing, the state variables will be bound to 

not be 3for a 0 o’ 7" 6mpl ° y the Qo Space ! the same may or may 

not be true for 0-order variables (,.e. variables which are not derivatives! If Z 

we s: 
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[. . .] brackets within text; since the computations for the highest derivatives are 
separate from the computations of all other values, we will frequently separate 
them by a vertical bar in the state: 

| z! ; es t • ■ • x n : es n | '■ deriu_esi • • • : derivxs^~\ 

B states are represented by oval boxes having similar content, or by enclosing 
the state in (. . .)• If we wish to avo'd specifying the type of a state, we enclose 

it in [(...])• 

Useful facts about CSM-envisionment states: 

• Only B-states correspond to real-world situations, since only at point B 
of the loop are all variables at the same time point 

• The values of the qualitative state variables are frequently +, -, 0, and ?, 
especially the variables representing derivatives 

In fact, the qualitative value of a variable may be an arbitrary finite subset 
of the real line. 

We usually care only about the sign of derivatives. 

• The variables change by this pattern: 

at B: at A: at B again: at A again: 

[u I v] --> (u I V') --> [u* 1 V] --> (u> 1 V") 


4.3 Generating the Envisionment from the 
CSM 

The Starting Point Initially each member of the set of state variables has 
as qt value an es. In addition, each state variable x has associated with it a set 
of landmark values L(x). 

4.3,1 The Set of Initial States 

We begin with a definition. Recall that the configuration of a state is 
S = [(x\ x n | xit x n t)) 

The ql values of the derivatives are confined to [— ], [0], [+], [?]; the values of 
the Xiy however, are arbitrary ess: r, = {/»i , . . • Jin}> Uj an interval. 
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We then define the reduction R = R(S) of S as 


R = {[(h...I n \x' l ...x' n ]) | /,€*,} 

Thus R is the set of all states derivable from S by keeping only a single interval 
from each of S, and making no changes to the derivatives. 

The set of initial states (which are always A states, since the CSM compu- 
tation begins at point A) is then the reduction 


where x* denotes the initial interval value of variable x,-. Recall that [?] is 
shorthand for the es {(— 00 , 00 )}. 

For example, if the (only) state variable is x, with initial ql value [x] = 
( — 1,1), and L(x) = 0, then we have x j L(x) = {(— 1, 0), 0, (0, 1)}. The set of 
inital states is then 


*: (-1,0) |*':[?] 

x : 1 | x' : [?] 

J 

* : (0. 1) | x' : [?] 


The ^-computation, of course, will assign values to x' immediately. 


Xi : xjl L(x : x* n l L(x n ) \ x\ : [?]■■• x' n : [?] 


4.3.2 Generating the Successor B states of an Arbitrary 
A State 

Transitions out of A States 

We will begin with an example. Consider the relay servo previously discussed, 
which has A-computations (state variable form) 

P' = -q*A-p/B 
q' = —G/B, 

where 

G = -1 if F(t) < q 

G = l if F(t) > q 
G = 0 if F(t) = q 

F(t) is the (exogenous) input being controlled. The ^-computations of the CSM 
loop are thus 

(*S1*) p’ := -q*A - p/B; 

if F(t) < q — > q := -1/B; 

F(t) > q — > q := 1/B; 

F(t) = q — > q := 0; 
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Suppose that as before we have A = 2, B = 0.5, V = 1. Furthermore, suppose 
F(t) is constant at 0. Let the initial values of p — (—1,0) and q = (0,oo). p 
has no landmarks; the only landmark for q occurs at q = F(t ), i.e. q = 0. 
We compute the set of inital states, and obtain the singleton 

{\p:(-h0)q:(0,oo)\p':[?] q 9 :[?]]} 

Given these values of p and q , statement SI taken as interval arithmetic expres- 
sion produces 


\p'} = -(0, oo) * 2 — (-1, 0J/0.5 = (-oo, 0) - (-0.5, 0) = (-oo, 0) 


At statement S2 we see that since [q] = (0, oo), only the guard F(t) > q can 
be true. Thus [q*] becomes -1/0.5 = -2. We have thus reached the B state 

(p : (- 1, 0) q : (0, oo) | p f : (-oo, 0) q ' : -2) 

or, discarding superfluous derivative information, 

(p : (-1, 0) q : (0, oo) | p' : [-] q ' : [-]) 

Suppose that in the above example we had used q = [0,oo) as initial value 
instead. Then the J operator would have produced 

L P] = (—1*0), [q] = {0,(0, oo)} 

Applying reduction to this produces the set of (two) inital states 

{[p: (-1,0) q : [0] | p' : [?] q f : [?]], [p : (-1,0) 9 : (0, oo) | p’ : [?] </' : [?]]} 

Since the quard F(^) = 0 is true for the former state, the ^-computation 
now have produces B state 

(p : (—1.0) q : [0] I p' : [-] q‘ : [0]) 

in addition to the B state computed above. 

The preceding example has made it clear that if statements occurring within 
the ^-computations can lead to branching, since the destination B state depends 
on which guard was true. The example contains a particularly straightforward 
situation, insofar as the es values of the variables involved were such that a 
unique quard could be determined to be true. The general case is more compli- 
cated. Suppose we have a statement of the form 

if {SO:} x > y then {SI:} <statement_l> 
else {S2:} <statement_2>; 
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. t , . r i _ in o\ « - / ( oo -ll,[l,oo)}. What should be the values 

of t and it a result of executing this if statement? More precisely, it is clear 
that eachtf the two possible outcomes of the boolean expression corresponds 
to dist“ct successor ties of x and What should they be for each of the two 

h^Thefntiaf impulse is to require that if the SI branch is “en, the new 
I r,i and \ y ] Q f » and y should be subsets of the real line such that for 

arbitrary » € [XI, l € [»] the boolean expression a > ^ ° mf le' 

such a choice is not possible (more precisely: ass. 6 n. I to *) in th, examp 
there is no u G fxl that guarantees that u > v for arbitrary v G L2/J* 

n r, clear that we must lower ou, expectations, or abandon the attempt to 
apply et-mappings to ,1 states, i.e. to valued yariables. We shall proceed as 
follows: Suppose the state at point SO is 


: [x] y : [y] \ x' • M • [£\ 


Then execution of the if statement produces two (more generally: one per 
branch) successor configurations si and s2. We stipulate: 


si = * : H y ■ v | x ' : a y' : /3 


where 


(J = {u £ [r] | 3v in [y] such that u > v) 

j/ = {u G [y] | 3u in [x] such that u > v] 

In words the new ql values of x and y are sets of reals such that for any point 
chosen from one of the ql values, it is possible to choose a pom. jfrom i the q value 
of the other variable such that the boolean expression is satisfied. Similarly, w 

have * * » to 

s2 = x : r) y : 9 | x : a y : p 


where 

and 


t) = {u G [x] | 3v in [y] such that u < v} 


0 zz {t; G [y] | 3ti in [x] such that u < v} 

In terms of our example, state 

[x : (0, 2) y : {(-oo, -l], [l.oo)} | *' : [a] y' : [/?]] 

produces the two sucessor configurations 

si = x : (0,2) y : {(-oo, -1], [1, 2)} | *' : [a] y' : [/?] 


and 


s2 = x : (0,2) y : {[l.oo)} | x' : [a] y' : [/?] 
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Let us examine the effect of this branching process more closely. Configura- 
tion si (s 2 ) corresponds to the state of knowledge at program point SI (S 2 ). As 
we have seen, it is not the case that arbitrary values for x and y chosen from si 
will necessarily satisfy x > y. However, the meaning of the statement [x] = E 
is that the actual value of x is unknown, but is somewhere in the es E. It is 
easy to see that the branching process preserves this meaning. 

It is important to note that the branching process we have described does 
not correspond to the transition from an A state to a B state, but rather to a 

step within the ^-computation, to wit the step of executing the if statement in 
question. 

It is left to the interested reader to generalize the above branching process 
to arbitrary sets of ql variables and arbitrary boolean expressions composed of 
comparisons of variables and constants connected by the usual boolean opera- 
tors, as well as to verify that the resulting ql values are ess, i.e. if-branching 
is es-closed. An indication of the nature of the proof may be found by exam- 
ining the algorithm that performs general if-branching in the implementation 
(Appendix A). 

Here, then, is the procedure for computing the set of successor B states of a 
given A state s A . Let S u .. ,,S„ denote the statements of the ^-computation. 

state_set := R(s_A) — compute the reduction of s_A 
for k in 1 . .n do 
new_state_set := emptyset; 
for.each s in stateset do 

s* := set of successors of s 

obtained upon executing S_k; 

new_state_set := new_state_set union s'; 
end for^each; 

state_set := new_state_ set ; 
end for; 

upon termination, state_set contains 

the set of B states that succeed s_A. 

It is interesting to note the source of landmarks. It has been intimated 
that they are provided by the user as input. The above discussion, however 
makes it obvious that target states are produced not only from user-supplied 
landmarks, but also from if statements. In fact, the user is not compelled to 
supply any landmarks at all; in the relay servo example discussed above, p had 
no landmarks. In such cases, all branching occurring in transitions from B to 
A states is produced by if statements. Here is a simple example: suppose we 
have ql variable x, for which neither landmarks nor ql value are known. We 
must therefore begin by assuming [x] =?, i.e. * = (-00,00). Suppose the A 
computations begin with 

X := sin(x) ; — non x = [-1,1] 
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if x > 0 then SI else S2; 

At this point two resulting states are created, one for x < 0 and one for x > 0. 
We thus have branching transitions, despite the lack of any information about 
the landmarks or value of the variable involved. 

4.3.3 Generating the Successor A states of an Arbitrary 
B State 

We continue our discussion of envisionment generation by describing the con- 
struction of transitions out of B states. The 3 mapping generally produces 
branching, i.e. a set of possible transitions to new (A) states. We will examine 
how this comes about. 

At point B we have a set of values current for time t for all variables, and 
are about to compute subsequent values by means of equations of the form 

where the time subscript is usually implicit. Transitions out of the present 
B-state are constructed in accordance with deKleer & Bobrow’s principles [5], 
modified as required for the purposes of dealing with continuous simulation 
models. We repeat the original versions here for completeness: 

Rule 0: Value continuity: values must change continuously over a transition, 
i.e. a value cannot go from - to + without assuming the value 0 at some 
intermediate state. 

Rule 1: Contradiction avoidance: the system cannot transit to an inconsistent 
state. Note that this Rule fails to hold in the presence of faults. 

Rule 2: Instant change rule: changes from 0 happen at an instant. 

Rules 3, 4, and 5 merely state that Rules 0 and 2 also apply to derivatives; 
this is self-evident in our context. 

Rule 6: Change to all 0 derivatives is impossible. 

Ihe following modifications and qualifications are required when applying these 
principles to construction of transitions out of B-states in state diagrams for 
continuous simulations: Rules 0 and 2 are oddities in that they do not, strictly 
speaking, hold for continuous simulation models: if x[*] < 0, then x[t + 
l] — a:[t] + x [f] * dt can be > 0 if dt is sufficiently large. For similar 
reasons, a non-zero quantity may reach 0 at the same time (iteration) that 
another quantity becomes non-zero, thus violating Rule 2. We ignore these 
potential violations in qualitative reasoning, however, since they depend on the 
value of dt. CSM-based qualitative reasoning assumes that dt values can be 
made arbitrarily small, in order to provide arbitrarily close approximations to 
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the differential equation model. Since dt can always be chosen small enough so 
that the above rule violations do not occur, we posit that rules 0 and 2 hold in 
the qualitative domain, for transitions out of B states. As it happens, Rule 0 
does not hold at all for transitions out of A-states. 

Similar reasoning justifies Rule 6. Suppose that at point B some quantity 

xP <> 0. Then computed by 

:= x^ -1) + x| j) * dt 

can equal 0 only if x^ _1) = -x| j) * dt. Again this depends on a fortuitous 
choice of dt, and clearly a dt can be chosen so that no variable transits to zero. 

An intuitive grasp of of Rule 6 in the continuous simulation context can be 
obtained by noting that any simulation model can be run backwards in time by 
taking final values as initial values, and choosing a negative dt. Starting our 
backward run with all quantities equal to zero (stationary) clearly cannot result 
in any (simulated) motion as a result of the B computations. 

Given the above considerations, we are now in a position to describe how 
transitions out of B states are computed. We begin by recalling that the con- 
figuration of a state is 

S — [(x i — X n | Xj ^ rJ) 

The ql values of the derivatives are confined to [— ], [0], [+]; the values of the 
Xi , however, are arbitrary ess: X{ = {/i, . . . » Ij an interval 

Let S be an arbitrary B state. We begin the construction process by con- 
structing a set of preliminary “scratch” configurations R = #(S), the reduction 
of S. Given R, constructing the target A states is straightforward. 

For each configuration in R: 

• If any ar^[t] = /, where / is a landmark, and x( J+1) [t] > 0, then transit 
to an A state with x^ j) bound to (/, m) where m is the smallest landmark 
greater than /, and all other bindings unchanged (Rule 2). (Note: m may 
be oo.) Similarly, if x\ Hl) [t] < 0, then x\ }) becomes bound to (M)> 
where k is the greatest landmark less than x. 

If several variables qualify, transit to a state in which each is newly bound 
as described above. These are the only transitions out of such a state. 

• If there are no variables bound to landmark values, add arrows leading to 
A-state successors by identifying quantities moving to their thresholds: if 
[ X W] is in the interval between two landmarks, and [x ( / +1) ] <> 0, then 
x\ j) is moving to a threshold, unless the end of the interval toward which 
it is moving is ±oo. A binding change for [x^] to the landmark value 
toward which it is moving is then possible. Add arrows for all possibilities 
and all combinations of possibilities of such binding changes. 
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Here is an example of this construction. 

Let 

S = (x:(2,3]y:{-l,[0,oo)}|x :+y : -) 

and suppose integers are landmarks. 

Then 

R = {[(x : (2,3] y : — 1 | x' : + y' : -)], [(* ; ( 2 . 3 1 V '■ [°.°°) I x '■ + V : 

From temporary configuration [(x : (2,3] y . —1 | x . + y ]) we see 
that x is moving right and will ultimately reach 3; y is moving left. Trans!- 
tions from points happen at an instant (i.e. the time for x to reach 3 is finite, 
while the time it takes y to move o ff -1 is infinitesimal), and we see tha 
x : (2,3] y : (-2,-1) | x' : + y' : —]) is one of the target A states. 

Similar considerations show that the “scratch” configuration 

[(x:(2,3]y :[0,oo) |x':+y' :-]) 

will produce the target A states 

[x : 3 y : [0, oo) | x ' : + y' : — ], 

[x : (2,3] y : 0 | x' : + y' : -] and. 

[x : 3 y : 0 | x' : + y' : -] 

The last state corresponds to x and y reaching their landmarks simultaneously. 
We now discard R, and are left with the transitions 

(x : (2,3] y : {-l,[0,oo)} | x' : + y' : -) 

[x : (2, 3]y : (-2,-1) | x' : +y' : — ] 

— ♦ [x : 3y : [0, oo) | x' : +y' : -], 

— ♦ [x : (2, 3]y : 0 | x' : +y' : -] and 
— ♦ [x : 3y : 0 | x' : +y' : — ] 

It is clear that the tedious and painstaking nature of this process makes the 
computer implementation indispensable. 

4.4 Examples 

4.4.1 An Abstract Buzzer 

A program was written to generate envisionments automatically. Figure 4.1 
shows the envisionment produced for the abstract buzzer: It should be pointed 
out that the graphic state diagram was created by hand from the actual output 
of the envisionment generator, which produces a list of states and transitions. 
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loop 

(A) 

SI: if 

1 >= lmax — > V := 0; 

1 <= Imin --> 1* := 0; 

Imln < 1 & 1 <= a — > V := 1; 
a < 1 & 1 < Imax --> V := -1; 
fi 
{B} 

S2: 1 := 1 + V * dt 
until done; 


[lmax, inf] 


y^fmex, inff£§) > lllmax, inf! 


2 



Figure 4.1: Environment of Abstract Buzzer 
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4.5 An AEROBEE Rocket Control System 

The Aerobee is a small research rocket used to carry scientific payloads into 
space. It contains an attitude control system which can be used to orient in- 
struments toward designated celestial objects. This control system utilizes two 
reference and three orthogonal rate gyros to determine orientation and rates of 
change of attitude. For simplicity, only a single-axis system will be simulated. 
Space restrictions preclude a detailed description of the attitude control system 
components and circuitry; the reader is referred to [1] for further discussion. In 
outline form, the system operates as follows. The free gyro produces an error 
voltage EV = G2 * sin{RA - X), where G2 is the gyro sensitivity, RA the 
reference angle (i.e. the intended angle of orientation), and X is the actual angle 
of orientation of the rocket. This error voltage EV is added with a feedback 
voltage FV = -G 1 * X' from a rate gyro by a mixing network that contains 
resistors Rl, R2, and R3\ G1 is the sensitivity of the rate gyro. The voltage V 
output by the network is given by V = Cl * EV + C2 * FV, where 

Cl - l/(l + (l + R2/R2)*(Rl/RZ)),and 
C2 = l/(l+(l + R2/Rl)*(R2/R2)) 

The dynamics of the rocket can be taken as X" = F*M A/ 1, where M A is the 
moment arm, / is the moment of inertia of the rocket about its longitudinal axis, 
and F is the force produced by the gas thrustors used to control the angular 
orientation. These thrustors can produce only three discrete levels of forces: FA, 
0, and —FA; there is a dead space of 2 * DS. The following LISP statements 
represent a simulation of this nonlinear feedback control system. Note that the 
program statements are in infix form; for reasons extraneous to this discussion 
it was considered desirable to implement an infix-to-prefix parser to preprocess 
such statements. 


; value assignments to system parameters and constants 
(setq Cl ’(ra := 0)) ; reierence angle 
(setq C2 *(i := 900)) ; moment of inertia 
(setq C3 ’ (ma := 12. 6)) ; moment arm 
(setq C4 ’(dt := .01)) ; time step size 

(setq C5 ’ (gl := 0.13)) ; rate gyro sensitivity 

(setq C6 ’ (g2 := 11.9)) ; free gyro sensitivity 
(setq C7 ’(ds := 0.025)) ; dead space in thrustor 
(setq 08 ' (rl := 33000)) ; resistance Rl in mixing net 

(setq C9 ’ (r2 := 33000)) ; resistance R2 in mixing net 

(setq CIO ’ (r3 := 25000)) ; resistance R3 in mixing net 
(setq Cll ’(pi := 3.14159)) 

(setq C12 ’ (x := 12.08)) ; orientation of rocket 

(setq C13 ’(xldot := -1.27)) ; 1st derivative o i x 
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(setq C14 * (rc := pi / 180)) ; radian conversion factor 
(setq CIS ’ (dc := 180 / pi)) ; degree conversion factor 

(setq Ml ’(cl := l/(l+(l+r3/r2)*(rl/r3)) )) 

; mixing network 

(setq M2 *(c2 = i/(l+(l+r3/rl)*(r2/r3)) )) 

; coefficients 

; statements 

(setq SI 9 (ev := g2 * sin((ra - x) * rc) )) 

; error voltage 

(setq S2 ’(fv := NEG gl * xldot)) ; feedback voltage 

(setq S3 ’ (v := cl * ev + c2 * fv)) ; network output voltage 

(setq S4 ’(IF 

((v < MEG ds) ==> (h := v + ds)) 

( ( v <= ds) ==> (h := 0) ) 

((ds < v) ==> (h := v - ds)) 

) ) ; thrustor controller dead space 

(setq SS ’(IF 

((h < 0) ==> (f := -4)) 

(Ol = 0) ==> (f := 0)) 

((0 < h) ==> (h := 4)) 

) ) ; thrustor force 

(setq S6 ’(x2dot := (f * ma / i) * dc)) 

; rocket dynamics 

; part B of the simulation: updating of x and x' 

(setq S7 * (x := x + xldot * dt)) 

(setq S8 9 (xldot := xldot + x2dot * dt)) 


The above program statements constitute parts A and B of the simulation loop 
for the Aerobee attitude controller. 

Here is the envisionment produced for the aerobee rocket: 
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Figure 4.2: Envisionment of Aerobee Rocket 
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Chapter 5 


CSM-based Fault Diagnosis 

5.1 Use of Envisionments for wp-based Diag- 
nosis 

A major advantage of having available an envisionment of the system being 
simulated is that it is frequently possible to use wp transform techniques on 
envisionments, whereas the same approach would lead to a combinatorial ex- 
plosion if applied to the raw output data. 

The application of the wp transform to envisionments depends on the as- 
sumption that the structure of the envisionment remains valid despite the oc- 
currence of faults. This corresponds to the assumption, discussed previously, 
that faults correspond to changes in model parameters but leave model structure 
unchanged. 

5.1.1 Examples of Use 

Buzzer Diagnosis using wp 

Our first example of wp-based diagnosis will consider a particularly simple sys- 
tem: the abstract buzzer introduced previously. We reproduce the CSM here: 


loop 
f A: > 
SI: if 


1 >= lmax — > 1 , := 0; 

1 <= lmin — > 1' := 0; 
lmin < 1 <= a — > l 1 := 
a < 1 < lmax — > 1' := 


fi 


i; 

-l; 
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i B: > 

S2: 1 := 1 + 1’ * dt 
until done 


- 'HZAZ T" 1 r; 

-3, but suddenly begins moving to the right at velocity 
a state transition 

1 : (/ : (— oo ylmin] | V : 0) ► 2 1 ^ • *) 

, JO f R since onlv B states correspond to states 

Both states 1 and 2 must be B states sin y 

^ ^ r, w . — — » 

2 : m SStlLoidiL that r WH 2 

from state 1 to unknown i»ten».d»t= A and ; * statej^ 

terms of the computations, this is equivalent to the y 7 „ 

precondition that I' be (+] after executing th » • 

This formulation omits the critical fact that was observed u> 
at - 3 before starting to move right. We thus need to append grv.n that I - 
aid I' ! 0 before executing S2; SI." Formally, we thus have 

wp({Vl:J I := -3; V := 0; S2; SI | F = 1) 

. I h u Vi and V2 express the “initially stationary at —3 

The statements labeled VI and V2 express desired 

condition. Executing these assigments before S2, SI assures 

values are bound to l and l' before the transitions are taken. 

Here are the wp calculations for this system: 


wp(V\;V2-S2,Sl | /' = 1 ) 

= ti>p(VT; V2;S2 | wp(Sl 1 1' = 1)) 


wp (V 1; V2;S2 | (1 > Imax wp(l' := 0 | /' = 1)) A 
(1 < Imin => wp{l > ■— 0 | 1 = 1)) A 
( Imin <1 <a=> wp(l' := 1 | /' = 1)) A 
(a < l < Imax => wp(l' := — 1 | f = 1))) 
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wp(V 1; V2; 52 | (/ > Imax => 1 = 0) A 
(/ < /min => 1 = 0) A 
( Imin < l < a 1 = 1) A 
(a < / < /max => 1 = —1)) 

Simplifying 

(/ > Imax => 1 = 0) A 
(/ < Imin => 1 = 0) A 
( Imin < l < a => 1 = 1) A 
(a < / < /max => 1 — —1) 


yields 


(/ < Imax V false) A 

(5.1) 

(/ > Imin V false) A 

(5.2) 

(/min < / < a V 1 = 1)A 

(5.3) 

(/ £ (a, /max) V false) 

(5.4) 


which is equivalent to 

(/ < Imax) A (/ > Imin) A ( Inot E (a, /max)) 
i.e. / £ (/min, a]. The original expression 

wp{Vl\ V2; 52; 51 | /' = 1) 


thus reduces to 

u;p(Vl;V r 2;52|/E(/min,a]) 

Since S2 is / := / + Vdt, this becomes 

wp({V 1 :} / := -3;{V2 :} /' := 0;| / + Vdt € {Imin, a)) = 
wp{{V 1 :}/ := -3; | / E (/min, a]) 

= —3 E (/min, a] 


i.e. 

(/min < —3) A (—3 < a) 

The putative values of Imin and a are -2 and 0 respectively. — 3 < 0 = a 
is true, so we have (/min < -3) A true, or eqivalently, (/min < -3) as the 
weakest precondition for the observed symptoms: Imin has shifted. 


49 



5 2 Relay Servo Diagnosis using wp 

following transitions: 


+ > h: (-+ 1 ") 


a: 


[-+ 1 0 ] 


— + > i: 


(-+ 1 0 ) 


1 3 

+ > j : ( -+ 1 


(The numbers h^l, ^j^violates'an^cTnstrain^ts, and^us 

must be included 

SaSSEeS iH==i 

but.,, we apply the wp approach to find out. Suppose the value X - 03 , 
y. = 0 8 have been observed. (These values were taken from I PI, T.g . 3. . 

p. 120.) We now pose the question ‘whaH.as to hoU m o'^ in 

tet "ptutt proceeding, point A to point B, and so the profile, 
is formulated as . 

wp(PROG | X" < 0) 

whprp PROG denotes the program segment 


— statement 1: 

ii X < 0 then G := 1; 
elsif X = 0 then G := 0; 
else G := -1; 
end if; 

— statement 2: 

> •— — X*/B + G ♦ A/B 

l X" can, if necessary, be observed as well. 
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In other words, what is the most general statement that must hold before exe- 
cuting PROG, if [X n ] = — is to be true afterwards? Proceeding as usual, we 
find 

wp(statement 2 | X n < 0) = —X'/B + G * AjB < 0 

and so G * AjB < X* j B. Since by physical considerations B > 0, we simplify 
this to G * A < X\ and since X f = 0.8, we have G * A < 0.8. Continuing: 

wp(statement 1| G * A < 0.8) = 

X wp(G := 1 | G*A< 0.8); 

X = 0 => wp(G :=0 \G*A< 0.8); 
true => wp(G — 1 | G * A < 0.8); 

end if; 

Since X = —0.2 < 0, we have tvp(G := 1 | G * A < 0.8), which is 

1 * A < 0.8. But this contradicts the supposed binding of A to 2, and 

so we have a malfunction consisting of a shift in the value of A: the loop gain 
has inadvertently decreased. 


5.3 Future Research Directions 

The techniques we have described were applied to a number of additional sys- 
tems. In particular, experiments in envisionment-based diagnosis were carried 
out on the automatically generated state diagram of an aircraft carrier arrest- 
ing cable system described in [l]. This system was used to explore hypotheses 
such as the possibility that the track of the actual system, i.e the sequence of 
states it traced out in the envisionment, could yield valuable diagnostic clues. 
Initial investigations proved promising, but the research project ended before 
definitive conclusions could be reached. It was apparent, however, that addi- 
tional research was needed on problems such as appropriate notations for the 
characterization of tracks, as well as the integration of quantitative information 
with the envisionment. 
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Appendix A 

Envisionment Generator 


I states. parti 

{Used with states. part2 and a specialized X.part3 to construct 
state space transitions lor the simulation in X.part3, 
according to the scheme outlined in the proposal.} 1 

{TO RUN: 

Compile states .parti , states. part2 and X.part3 and type 

(main_loop) . 

Go lor colle AND dinner} 


************************* DATA STRUCTURES ************************* 


ENDPOINT — a list containing the value ol an endpoint and either 
, c * il the endpoint is included in the range or 'o 1 
il it is not. 

EX: (14 o) 

INTERVAL — EITHER a single atom, indicating lelt and right 

endpoints are the same (i.e., a single known value) 
EX: 7 

EX: inlinity 

OR a list consisting ol a lelt and a right ENDPOINT 
EX: ((14 o) (25 c)) 

VALUE — list ol INTERVALS 

EX: ( 7 ((14 o)(25 c)) ((-34 c)(0 c)) inlinity) 
The example contains 4 intervals. 


1 


; ** Returns value ol left endpoint ol an interval 
; ** RANGE is an interval 
(detun lellt (range) 

(it (atom range) range (caar range)) 

) 


. ** Returns value ol right endpoint of an interval 

; ** RANGE is an interval 

(delun rite (range) 

(it (atom range) range (caadr range)) 

) 

Returns •«• if UKI i. » “* 

ee . 0 . or -c’ indication from the left endpoint. 

** RANGE is an interval 
(delun loc (range) 

(il (atom range) ’c (cadar range); 

) 

** Returns *c’ il RANGE is a .ingle value ot otherwise the 
** -o' or *c* indication Irom the right endpoint. 

** RANGE is an interval 

(delun roc (range) 

(il (atom range) ’c (cadadr range)) 


. .. Returns t if th. left .id. of the interval is open; 

; ** Otherwise nil. 

; ** RANGE is an interval. 

(delun openlelt (range) 

(equal (loc range) ’o) 

) 

. ** Returns t il the lelt side ol the interval is closed 

; ** Otherwise nil. 

\ ** RANGE is an interval. 

(delun closedlelt (range) 

(equal (loc range) ’c) 

) 


; ** Returns t il the right side ol the interval is open 

; ** Otherwise nil. 

\ ** RANGE is an interval. 

(delun openright (range) 
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(equal (roc range) ’o) 

) 


; ** Returns t ii the right side ol the interval is closed 

; ** Otherwise nil. 

; ** RANGE is an interval. 

(defun closedright (range) 

(equal (roc range) ’c) 

) 


.. I, l.« endpoint ol NUKE in greater than right endpoint then 
.. the 1.11 and right endpoint, are .napped. Oth.r.ie. »»0E .. 

** returned unchanged. 

** RANGE is an interval. 

(defun order (range) 

(cond 

C(or°( equal* (lellt'rang.) nini, (e,nal Crit. rang.) in.)) rang.) 
((or (equal (lefft range) inf) (equal (rite range) minf)) 
(reverse range)) 

((<= (lefft range) (rite range)) range) 

(t (reverse range)) 

) 


♦* Returns t if any point in interval A is less than any point 

** in interval B. 

** A and B are intervals. 

(defun one_less (a b) 

( ((or (equal (lefft a) minf) (equal (rite b) inf)) t) 

((or (equal (lefft a) inf) (equal (rite b) minf)) ()) 

(t (< (lefft a) (rite b))) 

) 
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. ** Returns an interval that is the portion of interval A that is 
’. ** strictly less than some point in interval B. 

; A and B are intervals. 

(defun prune_less (a b) 

(cond 

((or (equal (rite b) inf) 

(equal (rite a) minf)) a) 

((or (equal (rite a) inf) 
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(equal (rite b) mini) 

(>= (rite a) (rite b))) 

(list (list (leiit a) (loc a)) (list (rite ) 

(t a) 

) 


'o))) 


) 

** Returns an interval that is the portion oi inter 
** strictly greater than some point in interval B. 

A and B are intervals. 

(deiun prune.greater (a b) 

(cond . . 

((or (equal (leiit b) mini) 

(equal (leiit a) ini)) a) 

((or (equal (leiit a) mini) 

(equal (leiit b) ini) 

(<= (leiit a) (leiit b))) 

(list (list (leiit b) 'o) (list (rite a) (roc a)))) 

(t a) 

) 

) 

. .. mum. tru. i< an, in * * I"’ 1 ” 1 ” 

l ** less than a point in any interval in B 
• ** A and B are VALUES (lists oi intervals) 

(deiun qual_less (a b fcaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(ii (one.less (nth k a) (nth 1 b)) 

(setq auxl t) 

) 

) 

) 

auxl 

) 

.. mum. a .a!u. that contain, int.r.al. o, A that at. 1... than 
** some point in an interval oi B. 

** A and B are values. 

(deiun iind_less (a b fcaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) . . 

(ii (one.less (nth k a) (nth i b)) 

(setq auxl (cons (prune.less (nth k a) (n 
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i b)) auxl) ) 


) 


) 

) 

auxl 

) 

; ** Returns a value that contains intervals of A that are greater 
; ** than some point in an interval of B. 

; ** A and B are values. 

(defun find_greater (a b Aaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(if (one.greater (nth k a) (nth i b)) 

(setq auxl (cons (prune_gr eater (nth k a) (nth 

i b)) auxl)) 

) 

) 

) 

auxl 

) 

; ** Returns t if interval A and interval B are disjoint. 

; ** A and B are intervals. 

(defun one.ne (a b) 

(or 

(one^less (rite a) (lefft b)) 

(one^less (rite b) (lefft a)) 

(and (equal (rite a) (lefft b)) 

(or (openright a) (openleft b))) 

(and (equal (lefft a) (rite b)) 

(or (openleft a) (openright b))) 

) 

) 

; ** Returns t if any point in interval A is equal to any point 
; ** in interval B. 

; ** A and B are intervals. 

(defun one_eq (a b) 

(null (one_ne a b)) 

) 


j ** Returns true if any interval in A contains a point which is 
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; ** equal to a point in any interval of B. 

; ** A and B are VALUES (lists of intervals) . 

(defun qual.eq (a b Aaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(if (one_eq (nth k a) (nth i b)) 

(setq auxl t) 

) 

) 

) 

auxl 

) 

; ** Returns true if all intervals of A are disjoint from all 
; ** intervals of B. 

; ** A and B are VALUES (lists of intervals). 

(defun qual_ne (a b) 

(null (qual_eq a b)) 

) 


; ** Returns true if any interval in A contains a point which is 
; ** less than or equal to a point in any interval in B. 

; ** A and B are VALUES (lists of intervals) 

(defun qual_lesseq (a b) 

(or (qual_less a b) (qual_eq a b)) 

) 

; ** Returns t if any point in interval A is greater than any point 
; ** in interval B. 

; ** A and B are intervals . 

(defun one__greater (a b) 

(cond 

((or (equal (lefft a) inf) (equal (rite b) minf) 

(equal (rite a) inf) (equal (lefft b) minf)) t) 

((or (equal (rite a) minf) (equal (lefft b) inf)) ()) 

(t (> (rite a) (lefft b))) 

) 

) 


; ** Returns true if any interval in A contains a point which is 
; ** greater than a point in any interval in B. 

; ** A and B are VALUES (lists of intervals) . 

(defun qual_greater (a b Aaux auxl) 

(dotimes (k (length a)) 
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auxl 

) 


(dotimes (i (length b)) 

(if (one_greater (nth k a) 
(setq auxl t) 

) 

) 


) 


(nth i b)) 


• ** Returns true if any interval in A contains a point which is 
- ** greater than or equal to a point in any interval in B. 

• ** A and B are VALUES (lists of intervals) 

(defun qual.greatereq (a b) 

(or (qual_greater a b) (qual_eq a b)) 

) 


• ** Conses A onto B only if B doesn't already contain A. 

** B is a list — A is anything you want it to be. 
(defun mycons (a b) 

(cond 

((member a b) b) 

(t (cons a b)) 

) 

) 


* ** Returns the greater of two endpoints. 

! ** A and B are endpoints. They may not be constants. 

(defun onemax (a b) 

(cond 

((or (equal (car b) mint) 

((or (equal (car a) minf) 

((> (car a) (car b)) a) 

((> (car b) (car a)) b) 

((equal (cadr a) 'o) b) 

(t a) 

) 


(equal (car a) inf)) a) 
(equal (car b) inf)) b) 


; ** Returns the maximum valued endpoint from the list of endpoints 
• ** A , or the endpoint B. 

. ** A is a list of endpoints and B is an endpoint. 

; ** The endpoints may not be constants. 

(defun mymaxaux (a b) 
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(cond 

((null a) b) 

(t (mymaxaux (cdr a) (onemax (car a) b))) 

) 

) 

; ** Returns the maximum valued endpoint from the list of endpoints 
; A. The endpoints may not be constants. 

(defun mymax (a) 

(mymaxaux a (list minf ’c)) 

) 

; ** Returns the lesser of two endpoints . 

\ ** A and B are endpoints. They may not be constants. 

(defun onemin (a b) 

(cond 

((or (equal (car b) minf) (equal (car a) inf)) b) 

((or (equal (car a) minf) (equal (car b) inf)) a) 

((> (car a) (car b)) b) 

((> (car b) (car a)) a) 

((equal (cadr a) ’o) b) 

(t a) 

) 

) 

: ** Returns the minimum valued endpoint from the list of endpoints 
; ** A, or the endpoint B. 

; ** a is a list of endpoints and B is an endpoint. 

; ** The endpoints may not be constants. 

(defun myrainaux (a b) 

(cond 

((null a) b) 

(t (myminaux (cdr a) (onemin (car a) b))) 

) 

) 

; ** Returns the minimum valued endpoint from the list of endpoints 
■ ** a. The endpoints may not be constants. 

(defun mymin (a) 

(myminaux a (list inf ’c)) 

) 

; ** Returns the value portion of an endpoint A, which may or may 
; ** not be a constant. 
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(defun int_val (a) 

(i 1 (atom a) a (car a)) 

) 

; ** Returns 'c if a is a constant, or the 'o' or *c> portion of 
; ** the interval A otherwise. 

(defun intoc (a) 

(if (atom a) 'c (cadr a)) 

) 

; ** Returns the sum of two values A and B, either numeric or 
; ** symbolic (infinity or negative_inf inity) . 

(defun plusval (a b) 

(cond 

((or (equal a inf) (equal b inf)) inf) 

((or (equal a minf) (equal b minf)) minf) 

(t (+ a b)) 

) 

) 

j ** Returns ' o if either a or b is * o. Otherwise ' c. 

(defun plusoc (a b) 

(if (or (equal a *o) (equal b 1 o)) ’ o ’ c) 

) 

; ** Returns the sum of two endpoints A and B, either numeric or 
; ** symbolic (infinity or negative_inf inity) . 

(defun plusint (a b) 

(list (plusval (int.val a) (int_val b)) (plusoc (intoc a) (intoc 
b))) 

) 

; *★ Returns the left endpoint of the interval A. 

(defun leftpt (a) 

(if (atom a) a (car a)) 

) 

; ** Returns the right endpoint of the interval A. 

(defun rightpt (a) 

(if (atom a) a (cadr a)) 

) 

; ** Returns an ordered interval representing the sum of the two 
; ** intervals A and B. 
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(defun one_plus (a b) 

(order (list (plusint (leitpt a) (leftpt b)) 

(plusint (rightpt a) (rightpt b)))) 

) 


• ** Returns a VALUE that contains intervals that result from 
! ** all pairwise sums of intervals, one from A and one from B. 

; ** A and B are VALUES. 

(defun qual.pl us (a b *aux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(setq auxl 

(cons (one.plus (nth k a) (nth i b)) auxl)) 

) 

) 

auxl 

) 


; ** Returns the difference of two values A and B, either numeric 
. ** qj. symbolic (infinity or negative.inf inity) . 

(defun minusval (a b) 

(cond 

((or (equal a inf) (equal b minf)) inf) 

((or (equal a minf) (equal b inf)) minf) 

(t (- a b)) 

) 

) 

; ** Returns 'o if either a or b is *o. Otherwise 'c. 

(defun minusoc (a b) 

(if (or (equal a ’o) (equal b ’o)) ’o ’c) 

) 

; ** Returns the difference of two endpoints A and B, either numeric 
; ** or symbolic (infinity or negative.inf inity) . 

(defun minusint (a b) 

(list (minusval (int.val a) (int.val b)) (minusoc (intoc a) (mtoc 
b))) 

) 

; ** Returns an ordered interval representing the difference of the 
; ** two intervals A and B. 

(deiun one_minus (a b) 
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(order (list (minusint (leltpt a) (rightpt b)) 

(minusint (rightpt a) (leltpt b)))) 


) 


• ** Returns a VALUE that contains intervals that result from 
\ ** all pairwise differences of intervals, one from A and one from 

j ** B . 

; ** A and B are VALUES. 

(defun qual_minus (a b ftaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(setq auxl 

(cons (one.minus (nth k a) (nth i b)) auxl)) 

) 

) 

auxl 

) 


; ** Returns a list consisting of the minimum and maximum 
; ** endpoints from, the list of endpoints X. 

(defun getmaxandmin (x) 

(list (mymin x) (mymax x)) 

) 

; ** Returns the product of two values A and B, either numeric or 
j ** symbolic (infinity or negative_inf inity) . 

(defun timesval (a b) 

(cond 

((or (equal a 0) (equal b 0)) 0) 

((and (equal a inf) (equal b inf)) inf) 

((and (equal a inf) (equal b minf)) minf) 

((and (equal a inf) (< b 0)) minf) 

((equal a inf) inf) 

((and (equal a minf) (equal b minf)) inf) 

((and (equal a minf) (equal b inf)) minf) 

((and (equal a minf) (< b 0)) inf) 

((equal a minf) minf) 

((and (equal b inf) (> a 0)) inf) 

((equal b inf) minf) 

((and (equal b minf) (< a 0)) inf) 

((equal b minf) minf) 

(t (* a b)) 

) 

) 
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; +* Returns *o if either a or b is 'o. Otherwise * c. 

(defun timesoc (a b) 

(if (or (equal a ' o) (equal b 'o)) *o 1 c) 

) 

; ** Returns the product of two endpoints A and B, either numeric or 
; ** symbolic (infinity or negative_inf inity) . 

(defun timesint (a b) 

(list (timesval (int_val a) (int_val b)) (timesoc (intoc a) (intoc 
b))) 

) 

; ** Returns an ordered interval representing the product of the two 
; +* intervals A and B. 

(defun one_times (a b) 

(getmaxandmin (list (timesint (leftpt a) (leftpt b)) 

(timesint (rightpt a) (rightpt b)) 

(timesint (leftpt a) (rightpt b)) 

(timesint (rightpt a) (leftpt b)) 

) 


; ♦* Returns a VALUE that contains intervals that result from 
; ** all pairwise products of intervals, one from A and one from B. 

; ** A and B are VALUES. 

(defun qual_ times (a b Aaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 

(setq auxl 

(cons (one.times (nth k a) (nth i b)) auxl)) 

) 

) 

auxl 

) 

; ** Returns the quotient of two values A and B, either numeric or 
; ** symbolic (infinity or negative_inf inity) . 

(defun divideval (a b) 

(cond 

((equal a 0) 0) 

((and (equal a inf) (equal b inf)) inf) 
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((and (equal a ini) (equal b mini)) mini) 
((and (equal a ini) (< b 0)) mini) 

((equal a ini) ini) . 

((and (equal a mini) (equal b mm!)) ml) 
((and (equal a mini) (equal b ini)) mini) 
((and (equal a mini) (< b 0)) ml) 

((equal a mini) mini) 

( ( equal b ini ) 0 ) 

((equal b mini) 0) 

(t (/ a b)) 

) 


) 


* o . Otherwise * c. 


; ** Returns 'o it either a or b is 

(deiun divideoc (a b) xn , , \ 

(il (or (equal a 'o) (equal b 'o)) o c) 

) 

• ** Returns the quotient ol two endpoints A and B, either numeric 
j ** or symbolic (inlinity or negative_miinity) . 

.) w) (di.i a .oc (i»t« ,) a— 

b))) 

) 

. „ Returns an ordered interval representing the quotient ol the 
; ** two intervals A and B, 

(deiun one_divide (a b) . xx 

(getmaxandmin (list (divideint (leltpt 
8 (divideint (rightpt a) (nghtpt b)) 

(divideint (leltpt a) (rightpt b)) 

(divideint (rightpt a) (leltpt b)) 


) 


) 


) 


** Returns a VALUE that contains intervals that result irom 
** all pairwise quotientss ol intervals, one Irom A and one irom 

** B. 

** A and B are VALUES. 

(deiun qual_divide (a b ftaux auxl) 

(dotimes (k (length a)) 

(dotimes (i (length b)) 
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) 

auxl 

) 


(setq auxl 
(cons 

) 


(one_divide (nth k a) (nth i b)) auxl)) 


• ** Returns the sine of the value A, either numeric or symbolic 
! ** (infinity or negative.inf inity) . An interval is returne . 

(defun one_sin (a &aux auxl) . 

(if (one_less a 0) (setq auxl '(((-1 c) (0 o))))) 

(if (one_eq a 0) (setq auxl (cons 0 auxl))) 

(if (one_greater a 0) (setq auxl (cons *((0 o) (1 c)) auxl))) 
auxl 


. ** Returns a list of intervals, one for the sine of each 
\ ** interval in the list of intervals A. 

(defun qual_sin (a kaux auxl) 

(dotimes (k (length a)) 

(setq auxl 

(append (one_sin (nth k a)) auxl)) 

) 

auxl 

) 


• gub performs a textual substitution of x for all occurrences 
;z in y (at any level of nesting). 

(defun sub (x in y for z) 

(cond 


((null y) ()) 

((null (atom (car y))) 

(cons (sub x in (car y) for z) (sub x in 

) 


(cdr y) for z)) 


((eq (car y) z) 

(cons x (sub x in (cdr y) for z)) 

(t (cons (car y) (sub x in (cdr y) for z))) 

) 


of 


) 
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;* dead space function 
(defun dsp (a b c &aux auxl) 

(if (qual_less a b) 

(setq auxl (qual_minus (find_less a b) 

(f ind_greater b (find_less a b))))) 

(if (and (qual_lesseq b a) (qual_lesseq a c)) 

(setq auxl (cons 0 auxl))) 

(if (qual_greater a c) 

(setq auxl (append (qual_minus 

(f ind_greater a c) 

(find_less c (find_greater a c))) auxl))) 

auxl 

) 

;* function switch 

(defun fsw (abed ftaux auxl) 

(if (qual_less a '(0)) (setq auxl b)) 

(if (qual_eq a '(0)) (setq auxl (append c auxl))) 

(if (qual_greater a ^(0)) (setq auxl (append d auxl))) 
auxl 
) 

(defun msetq (a b) 

(set a (list b) ) 

) 

; ** Indeed an unusual way to obtain a list of digits, but 
; ** necessary because of the unusual "things'* that result 
; ** when an atom is exploded. 

(setq digits (edr (explode *x0123456789))) 


(setq in ()) 

(setq for ()) 

(setq inf 'infinity) 

(setq minf 'negative_inf inity) 


A.l Qualitative Simulation of the AEROBEE 
Controller 

; Aerobee .part3 
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»* establishes values of program constants 
(defun set_constants () 

(msetq ' ra 0) 

(msetq 'inertia 900) 

(msetq 'ma 12.5) 

(msetq 'fa 4) 

(msetq 'gl 0.13) 

(msetq 'g2 11.9) 

(msetq 'dead_space 0.025) 

(msetq 'rl 33000) 

(msetq 'r2 33000) 

(msetq 'r3 25000) 

(msetq 'pi 3.14159) 

(setq racLconversion (qual_divide pi '(180))) 

(setq degree.conversion (qual_divide '(180) pi)) 

(qual_plus 
(qual.plus 


(setq cl (qual_divide '(1) (qual.plus '(1) (qual.times 
'(1) (qual_divide r3 r2)) (qual_divi.de rl r3))))) 

(setq c2 (qual.divide '(l) (qual.plus '(1) (qual.times 
(1) (qual_divide r3 rl) ) (qual_divide r2 r3))))) 


; ** Allocates arrays. Sets initial count values, endogenous 
, ** variable list, landmarks, maximum number of states, 
(defun main () 

(set.constants) 

(def ine_symbolic_a) 

(setq endogenous '( (x 2 1) )) 

(setq landmarks '(0)) 

(setq max.states 100) 

(setq acount 1) 

(setq bcount 0) 

(setq old.acount 0) 

(setq old_bcount 0) 

(declare_transitions_array 'atransitions) 
(declare_transitions_array ' btransitions) 
(declare_states_array 'astates) 

(declare_states_array 'bstates) 

(declare_one_state_array 'new_z_states) 
(declare_one_state_array 'new_b_states) 
(declare_one_state_array ' new_non_z_states) 
(declare_one_state_array ' state_candidate) 
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(setq (aref astates 000) ’((0 o) (infinity c))) 

(setq (aref astates 0 0 1) 0) 

(setq (aref astates 002) ' ( (negative.inf inity c) (infinity c))) 

) 


; ** A state computations. 

(setq a_computations ’( (setq ev (qnal.times g2 (qual.sin (qual.times 
(qual_minus ra xO) 

rad_convers ion) ) ) ) 

(setq fv (qual.minus '(0) (qual_times gl xl))) 

(setq v (qual_plus (qual.times cl ev) (qual.times c2 fv))) 

(setq h (dsp v (qual_minus * (0) dead_space) dead_space)) 

(setq force (fsw h (qual^rainus '(0) fa) * (0) fa)) 

(setq x2 (qual.times (qual.divide (qual.times force ma) 

inertia) degree_conversion) ) 

)) 

; ** B state computations. 

(setq b_ computations * ( 

(setq xO (qual^plus x (qual_ times dt xl))) 

(setq xl (qual_plus xl (qual_times x2 dt))) 

)) 


17 


Appendix B 


The WP Transform applied 
to the Aerobee Controller 


. Aerobee. vp. lisp 

{The weakest precondition lor an observed value is obtained from 
the loop ol the aerobee rocket simulation. (One constant representing 
the mistrusted component is not specilied.) Then simplification of 
the resulting weakest precondition is obtained using a recursive 
descent parser to perform the actual simplifications. 

Then an actual numerical value or range of values for the 
untrusted variable is searched for using a mathematical technique. 
Beginning with a possible interval, endpoints are found by 
successively halving the interval and noting the resulting value 
this produces in the weakest precondition, terminating when the 
weakest precondition evaluates to true. 

TO RUN: 

Modify constant values and program specification to represent the 
desired program, leaving out a constant value for the mistrusted 
component. Specify the desired result predicate in the 
"weakest_precondition" function. Modify the function "try 11 by 
specifying the "unknown", "value" (as the midpoint of), "high" and 
"low" endpoints. 

Compile . 

Type (ultimate) . 

If only the weakest precondition is desired, 
type (weakest_precondition) . If simplified weakest precondition 
is desired, run (weakest_precondition) and (simplification).} 


18 


;seg segregates expressions. It extracts all numeric operands from 
;an expression that has the same operator throughout its top level. 
;The operation implied by the operator is applied to all the numeric 
; operands in the expression. The result of this is combined with 
; any non-numeric operands to be returned as the result of seg. If 
;all top-level operators are not identical or there are no operators 
;in the expression, it is returned unchanged. 

(defun seg (x fcaux temps tempresult) 

(cond 

((null x) ()) 

((atom x) x) 

((equal (length x) 1) (seg (car x))) 

((same_op (cadr x) (cdddr x)) 

(setq temps *s*) 

(setq *s* (combine (cadr x) (numbersonleft x))) 

(setq tempresult (app *s*)) 

(setq *s* temps) 
tempresult 
) 

(t x) 

) 

) 

; app accepts an infix expression as its argument and evaluates it 
;left to right (no precedence) until a non-numeric operand is 
; encountered. 

(defun app (x) 

(cond 

((null x ) ()) 

((atom x) x) 

((equal (length x) 1) (car x)) 

((and (numberp (car x) ) (numberp (caddr x))) 

(app (cons (apply (cadr x)(list (car x) (caddr x))) (cdddr x))) 

) 

(t x) 

) 

) 

;same_op returns t if all operands at the top level of the expression 
;y are equal to x. y is an infix expression with the first element 
; removed. 

(defun same_op (x y) 
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(cond 

((null y) t) 

((equal (car y) x) (same_op x (cddr y ))) 
(t ()) 

) 


•combine returns y with x between each of its elements. If only one 
::°:n i» y. it i. »ch»»g«d. Thi. id *« cr..««g 

; infix expressions out of a list of operands. 

(defun combine (x y) 


(cond 

((null y) ()) 

((equal (length y) 1) y) 

(t (cons (car y) (cons x (combine x (cdr y ))))) 


) 


•nLbersonleft takes an infix expression as its argument and returns 
;a list consisting only of the operands. Humeric operands precede 
; non-numeric ones in the list. 

(defun numbersonlef t (x) 


(cond 

((null x ) 0) 

((numberp (car x)) 

(cons (car x) (numbersonleft (cddr x)))) 

(append (numbersonleft (cddr x)) (list (car x))) 

) 


) 


) 


; symb_ times performs symbolic or actual multiplication on its 
; arguments . 

(defun symb_ times (1 r) 


(cond 

((or (saf e_zerop 1) (safe.zerop r)) 0) 

((or (eq 1 'inf) (eq r ’inf)) ’inf) 

((eq 1 1) r) 

((eq r 1) 1) 

((and (numberp 1) (numberp r)) (* 1 r)) 

( (and (numberp r) (atom 1)) (list r ’* 1)) 
((and (atom 1) (atom r)) (list 1 ’♦ r)) 

( (and (listp 1) 

(or (equal (length 1) 1) (same.op ’* 


(cdr 1)))) 
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(cond 

((atom r) (seg (cons r (cons •* 1)))) 

((or (equal (length r) 1) (same_op '* (cdr r))) 

(seg (append 1 (cons ** r))) 

) 

(t (list 1 r)))) 

((and (listp 1) 

(numberp (car 1)) 

(equal (cadr 1) V) 

(numberp r)) 

(cons (* r (car 1)) (cdr 1)) 

) 

((and (listp r) 

(or (equal (length r) 1) (same_op (cdr r)))) 

(cond 

((atom 1) (seg (cons 1 (cons *+ r)))) 

((or (equal (length 1) 1) (same_op (cdr 1))) 

(seg (append r (cons '* 1))) 

) 

(t (list 1 ** r)))) 

((and (listp r) (equal (cadr r) '/) (numberp (caddr r))) 

(cond 

((atom 1) 

(list 

(seg (cons 1 (list '* (/ 1 (caddr r))))) 

# * (car r))) 

((or (equal (length 1) 1) (same_op * * (cdr 1))) 

(list 

(seg (append 1 (list ** (/ 1 (caddr r))))) 

(car r))) 

(t (list 1 r)) 

) 

) 

(t (list 1 *+ r)) 

) 

) 

; saf e_zerop is the same as the built-in zero_p, but doesn't crash if 
;its argument is not a number. 

(deiun safe_zerop (x) 

(and (numberp x) (zerop x)) 

) 

; symb_add performs 1+r, either symbolically or numerically, depending 
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;on the types of 1 and r. 

(defun symb.add (1 r) 

(cond 

((safe_zerop 1) r) 

((safe_zerop r) 1) 

((or (eq 1 'inf) (eq r 'inf)) inf) 

((and (numberp 1) (numberp r)) (+ 1 r)) 

((and (atom 1) (atom r)) (list 1 '+ r)) 

((and (listp r) (listp 1) (numberp (car 1)) (numberp (car r)) 
(> (car 1) (car r))) 

(list r '+ 1) 

) 

((and (listp 1) 

(or (equal (length 1) 1) (same_op '+ (cdr 1)))) 

(cond 

((atom r) (cons r (cons *+ 1))) 

((and (listp r) (numberp (car 1)) (numberp (car r)) 

(> (car 1) (car r))) 

(list r '+ 1) 

) 

((or (equal (length r) 1) (same_op '+ (cdr r))) 

(seg (append 1 (cons '+ r))) 

) 

(t (list 1 '+ r)))) 

((and (listp r) 

(or (equal (length r) 1) (same_op '+ (cdr r)))) 

(cond 

((atom 1) (seg (cons 1 (cons '+ r)))) 

((or (equal (length 1) 1) (same_op '+ (cdr 1))) 

(seg (append r (cons '+ 1))) 

) 

((and (listp 1) (numberp (car 1)) (numberp (car r) ) 

(> (car 1) (car r))) 

(list r '+ 1) 

) 

(t (list 1 '+ r)))) 

(t (list 1 '+ r)) 

) 

) 

;symb_div returns the actual or symbolic result of 1/r. 

(defun symb_div (1 r) 

(cond 

((safe_zerop r) 'inf) 
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( ( eq 1 r) 1) 

((eq 1 'inf) 'inf) 

C (eq r 'inf) 0) 

((eq r 1) 1) 

((and (numberp 1) (numberp r)) (/ 1 r)) 

(t (list 1 '/ r)) 

) 

) 

;symb_minus returns 1-r. This may or may not be an actual numeric 
; subtraction, depending on whether 1 and r are both numeric or not. 
(defun symb__minus (1 r) 

(cond 

((eq r 1) 0) 

((and (numberp 1) (numberp r)) (- 1 r)) 

((safe_zerop r) 1) 

((safe_zerop 1) (list 'NEG r)) 

((eq 1 'inf) 'inf) 

((eq r 'inf) (simp (list 'KEG 'inf))) 

(t (list 1 r)) 

) 

) 

;symb_neg performs actual or symbolic unary minus on its argument, 
(defun symb_neg (x) 

(cond 

((numberp x) (- 0 x)) 

((atom x) (list 'NEG x)) 

((eq (car x) 'KEG) (cdr x)) 

(t (list 'NEG x)) 

) 

) 

;symb_sin returns the sine of its argument if it is numeric. 

; Otherwise, (sin x) is returned, where x is the argument. 

(defun symb_sin (x) 

(cond 

((numberp x) (sin x)) 

((atom x) (list 'sin x)) 

((eq (car x) 'sin) (cdr x)) 

(t (list 'sin x)) 

) 

) 
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;symb_or performs actual or symbolic manipulations of "1 OR r M . 
(defun symb_or (1 r) 

(cond 

((or (equal 1 'T) (equal r 'T)) *T) 

((equal 1 *F) r) 

((equal r 'F) 1) 

((and (equal (length 1) 3) (equal (length r) 3) 

(equal (car 1) (car r)) (equal (cddr 1) (cddr r))) 

(cond 

((and (equal (cadr 1) ’>=) (equal (cadr r) '>)) 1) 

((or (and (equal (cadr 1) '<) (equal (cadr r) '>)) 

(and (equal (cadr 1) *>) (equal (cadr r) '<))) 

(list (car 1) *<> (caddr 1))) 

(t (list 1 * OR r)) 

) 

) 

(t 

(list 1 'OR r) 

) 

) 

) 

;symb_and performs actual or symbolic manipulations of M 1 AND r" . 
(defun symb_and (1 r) 

(cond 

((and (equal 1 l T) (equal r *T)) 'T) 

((or (equal 1 *F) (equal r *F)) *F) 

((equal 1 ' T) r) 

((equal r >T) 1) 

((and (equal (length 1) 3) (equal (length r) 3) 

(equal (car 1) (car r))) 

(cond 

((and (equal (cadr 1) *>=) 

(equal (cadr r) '<>) 

(equal (cddr 1) (cddr r))) 

(list (csir 1) •> (caddr 1))) 

((and (or (equal (cadr 1) '>) (equal (cadr 1) '<)) 

(equal (cadr r) '<>) (equal (cddr 1) (cddr r))) 

1) 

((and (or (equal (cadr r) *>) (equal (cadr r) '>)) 

(equal (cadr 1) '<>) (equal (cddr 1) (cddr r))) 
r) 

((amd (equal (cadr 1) '>=) 
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(equal (cadr r) ’>) 

(numberp (caddr 1)) 

(numberp (caddr r)) 

(null (< (caddr r) (caddr 1)))) 
r) 

(t (list 1 ’AND r)) 

) 

) 

(t 

(list 1 ’AND r) 

) 

) 

) 

;symb_lt performs actual or symbolic simplification of 1 < r. 

(defun symb_lt (1 r) 

(cond 

((equal (symb.eq 1 r) ’T) ’F) 

((and (numberp 1) (numberp r)) 

(cond 

((< 1 r) ’T) 

(t ’F) 

) 

((and (numberp r) (listp 1) (> (length 1) 2) (equal (cadr 1) ’+)) 
(cond 

((numberp (car 1)) 

(list (cddr 1) ’< (- r (car 1)))) 

((numberp (caddr 1)) 

(list (car 1) '< (- r (caddr 1)))) 

(t (list 1 ’< r)) 

) 

((and (numberp r) (listp 1) (> (length 1) 2) (equal (cadr 1) ’-) 
(numberp (caddr 1))) 

(list (car 1) '< (+ r (caddr 1)))) 

(t 

(list 1 '< r) 

) 

) 

) 


; symb_eq performs actual or symbolic simplification of 1 - r 
(defun symb_eq (1 r) 
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(cond 

((equal 1 r) J T) 

((and (niunberp 1) (numberp r)) 

(cond 

((< (abs (- 1 r)) 0.001) J T) 

(t »F) 

) 

) 

((and (listp 1) (niunberp (car 1)) (equal ' + (cadr 1)) 
(numberp r)) 

(list (cddr 1) ,= (- r (cax 1)))) 

((and (numberp r) (listp 1) (> (length 1) 2) (equal (cadr 1) 
(numberp (caddr 1))) 

(list (car 1) '= (+ r (caddr 1)))) 

(t (list 1 r)) 

) 


;symb_le performs actual or symbolic simplification of 1 <= r . 
(defun symb_le (1 r) 

(list 1 '<= r) 

) 

;symb_ne performs actual or symbolic simplification of 1 <> r . 
(defun symb_ne (1 r) 

(cond 

((equal (symb.eq 1 r) *T) *F) 

((equal (symb_eq 1 r) *F) *T) 

(t 

(list 1 '<> r) 

) 

) 

) 

;symb_not simplifies "NOT 1". 

(defun symb_not (1) 

(cond 

((equal 1 >T) 'F) 

((equal 1 'F) 'T) 

((equal (length 1) 3) 

(cond 

((equal (cadr 1) '=) (list (car 1) *<> (caddr 1))) 
((equal (cadr 1) ’<>) (list (car 1) *= (caddr 1))) 
((and (equal (cadr 1) '<) (numberp (car 1))) 
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(list (caddr 1) '< (car 1))) 

((equal (cadr 1) '<) (list (car 1) *>= (caddr 1))) 

((equal (cadr 1) '>) (list (car 1) '<= (caddr 1))) 

((equal (cadr 1) '<=) (list (car 1) '> (caddr 1))) 

((equal (cadr 1) >>=) (list (car 1) '< (caddr 1))) 

) 

(t 

(list 'NOT 1) 

) 

) 


;listp returns t if its argument is a list. () otherwise 
(defun listp (x) 

(null (atom x)) 

) 


**************+****++*+** 

;The following functions of the form p_x (where x varies) form a 

.recursive descent parser for logical and arithmetic expressions 

********* * ******* ,1, .j. . 1 . .a. ^ . * ' 

****** ************* 


(defun p_logterm (Aaux logterm) 

(setq logterm (p_logf actor)) 

(prog () 
loop 
(cond 

((null *s*) (return logterm)) 

((eq (car *s*) 'OR) 

(setq *s* (cdr *s*)) 

(setq logterm (symb_or logterm (p.logf actor)) ) 
(t (return logterm)) 

) 

(go loop) 

) 

) 


(defun p_logfactor (&aux logfactor) 
(setq logfactor (p.boolean)) 
(prog () 
loop 
(cond 
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((null *s*) (return logf actor)) 

((eq (car *s*) 'AND) 

(setq *s* (cdr *s*)) 

(setq logfactor (symb_and logfactor (p_boolean) ) ) 

) 

(t (return logfactor)) 

) 

(go loop) 

) 

) 

(defun p_ boo lean (ftaux boolean) 

(setq boolean (p_expr)) 

(prog () 
loop 
(cond 

((null *s*) (return boolean)) 

((eq (car *s*) >< ) 

(setq (cdr +s*)) 

(setq boolean (symb.lt boolean (p.expr))) 

) 

((eq (car *s*) >>) 

(setq *s* (cdr *s*)) 

(setq boolean (symb.le (p.expr) boolean)) 

) 

((eq (car *s*) '<= ) 

(setq *s* (cdr *s*)) 

(setq boolean (symb.le boolean (p_expr))) 

) 

((eq (car *s*) '>=) 

(setq *s* (cdr *s*)) 

(setq boolean (symb.lt (p.expr) boolean)) 

) 

((eq (car *s*) * = ) 

(setq *s* (cdr *s*)) 

(setq boolean (symb.eq boolean (p^expr))) 

) 

((eq (car *s*) '<>) 

(setq *s* (cdr *s*)) 

(setq boolean (symb.ne boolean (p_expr))) 

) 

(t (return boolean)) 

) 

(go loop) 
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) 

) 

(defun p_expr (&aux expr) 

(setq expr (p_term)) 

(prog () 
loop 
(cond 

((null *s*) (return expr)) 

((eq (car *s*) *+) 

(setq *s* (cdr *s*)) 

(setq expr (symb_add expr (p_terra))) 

) 

((eq (car *s*) '-) 

(setq *s* (cdr *s*)) 

(setq expr (symb.minus expr (p.term))) 

) 

(t (return expr)) 

) 

(go loop) 

) 

) 

(defun p_term (&aux term) 

(setq term (p_factor)) 

(prog () 
loop 
(cond 

((null *s*) (return term)) 

((eq (car *s*) **) 

(setq *s* (cdr *s*)) 

(setq term (symb_times term (p_factor))) 

) 

((eq ( car *s*) V) 

(setq *s* (cdr *s*)) 

(setq term (symb.div term (p.factor))) 

) 

(t (return term)) 

) 

(go loop) 

) 

) 

(defun p.factor () 
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(cond 

((eq (car *s*) ’neg) 

(setq *s* (cdr *s*)) 
(symb_neg (p_primary)) 

((eq (car *s*) 'sin) 

(setq *s* (cdr *s*)) 
(symb_sin (p_primary)) 

((eq (car *s*) ’HOT) 

(setq *s* (cdr *s*)) 
(symb_not (p_primary) ) 

(t (p_primary)) 

) 

) 


(defun p_ primary (Jtaux primary) 

(cond 

((null * 8 *) ()) 

((listp (car *s*)) 

(setq *s* (append (append (car *s* 

*s*))) 


(setq primary (p_logterm)) 
(setq *s* (cdr *s*)) 
primary 

) 

(t 

(setq primary (car *s*)) 
(setq *s* (cdr *s*)) 
primary 

) 

) 

) 


(list 


'♦right*)) (cdr 


************* ************** 

•excl^th Sanie ^ Cti ° n as bribed in the experlisp manual - 
, except this one vorks ! ! ! 

Cdefun some (x y) 

(cond 


((null y) ()) 

((x (car y)) (car y)) 
(t (some x (cdr y))) 
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(setq printdepth 100) 

(setq in ()) 

(setq for ()) 

. ******************************************************************* 
;The next few functions are used for obtaining weakest 

; preconditions, (unsimplified) ******* 

• sub performs a textual substitution of x for all occurrences of 
;z in y (at any level of nesting). 

(defun sub (x in y for z) 

(cond 

((null y) ()) 

((null (atom (car y))) 

(cons (sub x in (car y) for z) (sub x in (cdr y) for z)) 

) 

((eq (car y) z) 

(cons x (sub x in (cdr y) for z)) 

(t (cons (cax y) (sub x in (cdr y) for z))) 

) 

) 

; wp_asn returns wp(s,r) where s is an assignment statement. 

(defun wp_asn (s r) 

(cond 

((> (length (cddr s)) 1) 

(sub (cddr s) in r for (cax s)) 

) 

(t (sub (caddr s) in r for (car s))) 

) 

) 

; wp_seq returns wp(s,r) where s is a sequence of one or more 
; statements. 

(defun wp_seq (s r) 

(cond 

((cdr s) (wp (car s) (wp.seq (cdr s) r))) 

(t (wp (cax s) r)) 

) 

) 
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;w p_il returns wp(s,r) where s is an IF statement consisting of one 
; or more guarded commands . 

(defun wp_if (s r) 

(cond 

((null s) 0) , 

(t (if_comb (doif (car s) r) (wp_if (cdr s) r))) 

) 

) 

•if comb is used for combining parts of a vp for an IF. An AND is 
; introduced between each clause. If there is only one clause, then 

; there is no AND. 

(defun if_comb (x y) 

(cond 

((null y) (list x)) 

(t (cons x (cons 'AND y))) 

) 

) 

; doif performs the actual wp calculation for one branch of an if 
statement. It also makes use of (p ==> q) == ( p v qj . 

(defun doif (sr) , 

(list (list ’NOT (car s)) *0R (wp (caddr s) r)) 

) 

: w P determines what type of statement s is and makes the necessary 
; calls to return wp(s,r). 

(defun wp (s r) 

(cond 

((null s) r) 

((eq (car s) 'IF) (wp-i* (cdr s) r)) 

((atom (car s)) (wp_asn s r)) 

(t (wp_seq s r)) 


.****************************** ***************** 

; plug v in as the value for the unknown and test it 


• do the actual mathematical evaluation 

(defun evaluate (1 r unknown v oldhighv oldlowv Aaux tempi tem P 2) 
(setq tempi (plugandchug 1 unknown v)) 
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(setq *s* r) 

(seta temp2 (plugandchug r unknown v)) 

(print (list tempi temp2 unknown v oldhighv oldlo )) 
(again unknown v oldhighv oldlowv tempi tem P 2) 


■If the two sides of the equation aren't equal (with a tolerance of 
*0 00000001) then halve the interval and try again. 

(defun again (unknown v oldhighv oldlowv Ires rres) 

(C °((< (abs (- ires rres)) 0.00000001) v) 

((< Ires rres ) 

(evaluate (car ans) (cddr ans) unknown 
(/ (+ v oldhighv) 2) oldhighv v)) 

( (evaluate (car ans) (cddr ans) unknown 
(/ (+ v oldlowv) 2) v oldlowv ) 

) 

) 


(defun plugandchug (1 unknown v) 

(setq +s* (sub v in 1 ior unknown)) 
(p_logterm) 


(defun findendpoints (low high expr unknown) 

(do ((value low (+ value (abs (/ (- high low) 10))))) 

( (> value high) t) N \ 

(add_crossing (plugandchug expr unknown value) value) 

) 


(defun add_crossing (x endpt) 


(cond 

((or (and (< x 0) (> lastval 0)) 
(and (> x 0) (< lastval 0))) 
(print (list 'adding 'crossing ’ 


at lastpt endpt)) 


) 


) 

(setq lastval x) 
(setq lastpt endpt) 
) 
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(defun set_last_the_first_time (expr unknown val) 

(setq lastpt val) 

(setq lastval (plugandchug expr unknown val)) 

) 

(defun f ind_zeros (expr unknown) 

(cond 

((null crossings) zeros) 

((< (abs (- (caar crossings) 

(/ (+ (caar crossings) (cadar crossings)) 2 ))) 

0 . 001 ) 

(cons (car crossings) zeros) 

(setq crossings (cdr crossings)) 

(f ind_zeros expr unknown) 

) 

(set_last_the_f irst_time expr unknown (caar crossings)) 
(findendpoints (caar crossings) (cadar crossings) expr 'rl) 
(setq crossings (cdr crossings)) 

(find_zeros expr unknown) 

) 

) 

) 


(defun find_values (low high expr unknown) 
(setq zeros ()) 

(setq crossings (list (list low high))) 
(find_zeros expr unknown) 

) 


;try is a shortcut call to extract a limiting value for rl 
(defun try 0 

"unknown" "val" "high" "low" 

’ (evaluate (car ans) (cddr ans) 'rl 500000 1000000 0) 

m**************************************************************** 

The following setq's define the simulation program to be used as 
data by this program. 

, . . . ._ i __._. i -_^_i..i..i,j.,i.,l,,Ar*i»«ifcifc:***jis********************** :> *‘** 

*********** ******** 


(setq IF2 
* (IF 
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C(h < 0) ==> (f := -4)) 

((h = 0) ==> (f := 0)) 

((0 < h) ==> (f := 4)) 

) 

) 

(setq IF1 
’(IF 

((v < HEG ds) ==> (h := v + ds)) 

( ( v <= ds) ==> (h := 0) ) 

((ds < v) ==> (h := v - ds)) 

) 

) 

; constants 

(setq Cl ’ (ra := 0) ) 

(setq C2 ’(i := 900)) 

(setq C3 ’ (ma := 12.5)) 

(setq C4 ’(fa := 4)) 

(setq C5 ’ (gl := 0.13)) 

(setq C6 ’ (g2 := 11.9)) 

(setq C7 ’(ds := 0.025)) 

(setq C8 ’(r2 := 33000)) 

(setq C9 ’(r3 := 25000)) 

(setq CIO ’(pi := 3.14159)) 

(setq Cll ’(x := 12.0779)) 

(setq C12 ’(xldot := -1.2732)) 

(setq C13 ’ (rc := pi / 180)) 

(setq C14 ’ (dc := 180 / pi)) 

; meta-constants 

(setq Ml ’(cl := 1 / (1 + (1 + r3 / r2) * (rl / r3)))) 

(setq M2 ’(c2 : = 1 / (1 + (1 + r3 / rl) * (r2 / r3)))) 

; statements 

(setq SI '(ev := g2 * sin ((ra - x) * rc))) 

(setq S2 ’(fv := NEG gl * xldot)) 

(setq S3 '(v := cl * ev + c2 * fv)) 

(setq S4 IFl) 

(setq S5 IF2) 

(setq S6 ' (x2dot := (f * ma / i) * dc)) 

(setq pgm (list Cl C2 C3 C4 C5 C6 C7 C8 C9 CIO Cll C12 C13 C14 
Ml M2 
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SI S2 S3 S4 SS S6) ) 


; ******************************************************************* 

; obtain the weakest precondition 
(defun weakest_precondition () 

(setq temporary (wp pgm , (x2dot = 3.1831))) 

) 

; simplify it 

(defun simplification () 

(setq *s* temporary) 

(p.logterm) 

) 

;find the value for rl 
(defun ultimate () 

(weakest_precondition) 

(setq ans (simplification)) 

(try) 

) 
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